IPv6 SLAAC and DHCPv6 Lab

Introduction

IPv6 changes the way hosts obtain their network addresses. Unlike IPv4, where DHCP is the dominant method for dynamic address assignment, IPv6 introduces multiple mechanisms that can work independently or together. Understanding how Stateless Address Autoconfiguration (SLAAC) and DHCPv6 operate is essential for any network engineer preparing for the CCNA exam and for real-world deployment of IPv6 networks.

In this lesson, you will learn how IPv6 hosts discover routers on the local link, how they automatically generate their own addresses using SLAAC, and when DHCPv6 steps in to provide addressing or additional configuration. You will also explore the Neighbor Discovery Protocol (NDP), which replaces ARP from the IPv4 world, and see how Duplicate Address Detection (DAD) ensures every address on the link is unique. By the end of this lesson, you will be able to explain the full lifecycle of IPv6 address assignment and verify it on Cisco devices.

Key Concepts

NDP: The Foundation of IPv6 Address Resolution

Neighbor Discovery Protocol (NDP) is the IPv6 replacement for several IPv4 mechanisms. Where IPv4 relies on ARP for address resolution and DHCP for default gateway discovery, IPv6 consolidates these functions into NDP using ICMPv6 messages.

IPv4 Mechanism	IPv6 Equivalent
ARP Request	Neighbor Solicitation (NS)
ARP Reply	Neighbor Advertisement (NA)
Broadcast for resolution	All-Nodes Multicast or Solicited-Node Multicast
Default Gateway via DHCP	Default Gateway via Router Advertisement (RA)
Address Assignment via DHCP	SLAAC, DHCPv6, or both

NDP messages always use a link-local address (fe80::/64) as their source and set the Hop Limit to 255. This hop limit acts as a Generalized TTL Security Mechanism, ensuring that NDP messages are never forwarded beyond the local link.

The key NDP message types are:

• Router Solicitation (RS) -- ICMPv6 Type 133
• Router Advertisement (RA) -- ICMPv6 Type 134
• Neighbor Solicitation (NS) -- ICMPv6 Type 135
• Neighbor Advertisement (NA) -- ICMPv6 Type 136
• Neighbor Unreachability Detection (NUD) -- verifies cached neighbors are still reachable
• Duplicate Address Detection (DAD) -- confirms address uniqueness before use

Solicited-Node Multicast

Every IPv6 unicast interface must create a corresponding solicited-node multicast address in the range ff02::1:ff00:0/104. This address is formed by taking the last 24 bits of the unicast address and appending them to the solicited-node prefix. All Layer 3 IPv6 multicast packets must map to a corresponding Layer 2 multicast address using the format 33-33-xx-xx-xx-xx.

For example, if a host has the link-local address fe80::04cb:57ff:fe3c:deca, the solicited-node multicast destination becomes ff02::1:ff3c:deca, and the Ethernet destination maps to 33-33-FF-3C-DE-CA.

SLAAC vs. DHCPv6

IPv6 address assignment falls into three categories:

Method	How It Works	Controlled By
Static	Manually configured on the interface	Administrator
SLAAC	Host generates its own address from RA prefix + interface ID	Router Advertisement flags
DHCPv6 Stateful	Full address assigned by DHCPv6 server (M-flag = 1)	Router Advertisement flags
DHCPv6 Stateless	Host uses SLAAC for address but queries DHCPv6 for extra info like DNS (O-flag = 1)	Router Advertisement flags

How It Works

Neighbor Solicitation and Advertisement

When Node A needs to resolve Node B's link-layer (MAC) address, it sends a Neighbor Solicitation (NS) -- ICMPv6 Type 135. This message is sent to Node B's solicited-node multicast address rather than a broadcast, making it far more efficient than IPv4 ARP.

The NS contains:

• Source: fe80::a (Node A's link-local)
• Destination: ff02::1:ff00:b (Node B's solicited-node multicast)
• Target Address: 2001:db8:46:46::b
• Option 1 (SLLA): Node A's link-layer address

Node B responds with a Neighbor Advertisement (NA) -- ICMPv6 Type 136:

• Source: fe80::b
• Destination: fe80::a (unicast back to Node A)
• Target Address: 2001:db8:46:46::b
• Option 2 (TLLA): Node B's link-layer address
• Flags: R (Router), S (Response to Solicitation), O (Override cache)

An important detail: when Node B receives the NS, it also adds Node A to its own neighbor cache without needing to send a separate NS. Multicast is used for initial resolution of new neighbors, while unicast is used for reachability checks of cached entries.

Duplicate Address Detection (DAD)

Before any IPv6 address can be used, the host performs Duplicate Address Detection. The host sends an NS with:

• Source: the unspecified address (::)
• Destination: the solicited-node multicast of the address being tested
• No SLLA option is included

If no response comes back, the address is unique and safe to use. Most vendors now support Optimistic DAD, which allows the node to begin using the address immediately while DAD runs in the background.

Router Solicitation and Advertisement

When a host boots up, it sends a Router Solicitation (RS) -- ICMPv6 Type 133 -- to the all-routers multicast address ff02::2. The RS includes the host's source link-layer address (SLLA) as an option.

Routers respond with a Router Advertisement (RA) -- ICMPv6 Type 134 -- which is also sent at regular intervals. The RA carries critical provisioning information including the subnet prefix, lifetime values, and autoconfig flags.

The two flags in the RA that control address assignment behavior are:

• M-flag (Managed): When set to 1, tells hosts to use Stateful DHCPv6 to acquire their IPv6 address.
• O-flag (Other): When set to 1, tells hosts to use Stateless DHCPv6 in addition to SLAAC to obtain extra information such as DNS server addresses.

The RA also includes Prefix Information options with their own flags:

• L bit: Indicates an on-link prefix -- this is the only way a host learns that a prefix is on-link.
• A bit: Enables SLAAC for that prefix. This is typically the opposite of the M-flag.

Additional RA fields include Router Preference (Low, Medium, or High) and Router Lifetime, which must be greater than zero for the router to be used as a default gateway.

Interface ID Generation with SLAAC

When SLAAC is active, the host needs to generate the 64-bit interface ID portion of its address. There are several methods:

EUI-64: The original method takes the 48-bit MAC address (e.g., 00:90:27:17:fc:0f), splits it in half, inserts FF:FE in the middle to create a 64-bit value (00:90:27:FF:FE:17:fc:0f), and then flips the Universal/Local (U) bit. A U bit of 1 means universal/unique; 0 means local/not unique. This method is no longer used by most host operating systems.

Privacy Extensions (RFC 8981): A randomly generated interface ID for each interface, enabled by default in Windows, Android, iOS, macOS, and Linux. Temporary addresses rotate periodically for additional privacy.

RFC 7217 Stable Addresses: Generates interface IDs that are stable and constant for each subnet but change as hosts move from one network to another, providing a balance between privacy and consistency.

DHCPv6 Stateful Operation

When the M-flag is set, hosts use Stateful DHCPv6 following a four-step process:

1. SOLICIT -- Client sends to ff02::1:2 (all DHCPv6 servers) asking for available servers
2. ADVERTISE -- Server responds offering an address
3. REQUEST -- Client requests the offered address
4. REPLY -- Server confirms the assignment

DHCPv6 uses source address fe80 (link-local), destination ff02::1:2, with client UDP port 546 and server UDP port 547. Clients are identified by a DUID (DHCP Unique Identifier), which is different from IPv4 DHCP that uses MAC addresses for client identification.

DHCPv6 Stateless Operation

When the M-flag is 0 and the O-flag is 1, hosts use SLAAC for their address but still contact a DHCPv6 server for additional information such as DNS servers. This uses the same source/destination addresses and ports as Stateful DHCPv6.

Configuration Example

You can verify IPv6 interface configuration and NDP behavior using the following commands.

Verifying IPv6 Interface Status

R1# show ipv6 interface Ethernet0
Ethernet0 is up, line protocol is up
  IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18
  Global unicast address(es):
    2001:DB8:46:1234::1, subnet is 2001:DB8:46:1234::/64
  Joined group address(es):
    FF02::1
    FF02::2
    FF02::1:FF00:1
    FF02::1:FF3A:8B18
  MTU is 1500 bytes
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND router advertisements are sent every 200 seconds

This output reveals several important details:

• The router has both a link-local (FE80::200:CFF:FE3A:8B18) and a global unicast address (2001:DB8:46:1234::1).
• It has joined four multicast groups: FF02::1 (all-nodes), FF02::2 (all-routers), and two solicited-node multicast addresses.
• DAD is enabled with 1 attempt.
• The ND reachable time is 30000 milliseconds (30 seconds).
• Router advertisements are sent every 200 seconds.

Note: When EUI-64 format is used, a single solicited-node multicast address may serve both the link-local and global unicast addresses if their last 24 bits match.

Real-World Application

Deployment Scenarios

In production networks, the choice between SLAAC and DHCPv6 depends on the level of control required:

• SLAAC alone works well for simple networks where hosts just need connectivity and DNS is handled separately. However, because hosts generate their own addresses, you cannot predict or audit which address a specific host will use -- particularly with privacy extensions enabled.
• SLAAC + Stateless DHCPv6 (O-flag) is common in enterprise networks where hosts need SLAAC addressing but also require DNS server information from a central source.
• Stateful DHCPv6 (M-flag) provides the most control, similar to IPv4 DHCP, with predictable address assignments tracked by the server. However, not all operating systems support it -- notably, Android does not support DHCPv6.

Design Considerations

• The NDP cache on a router can theoretically hold up to 2^64 entries per interface, making it vulnerable to denial-of-service attacks. Rate limiting and cache size limits (enabled by default in most operating systems) are essential protections.
• NDP has no built-in authentication, meaning NDP messages can be spoofed, similar to ARP in IPv4.
• SLAAC addresses with privacy extensions make host-based ACLs impractical since the addresses rotate. Plan your security policies accordingly.
• Use simple, memorable static addresses for infrastructure devices -- for example, 2001:db8::53 for a DNS server or fe80::1 for the default gateway.

Best Practice: Do not rely solely on address obscurity for security. While IPv6 scanning of a /64 subnet is practically impossible due to the enormous address space, hosts can still be discovered through other methods such as DNS records, logs, or active connections.

Summary

• NDP replaces ARP in IPv6, using solicited-node multicast instead of broadcast for efficient address resolution. NS (Type 135) and NA (Type 136) handle neighbor discovery, while RS (Type 133) and RA (Type 134) handle router and prefix discovery.
• SLAAC allows hosts to generate their own IPv6 addresses from the prefix advertised in Router Advertisements. Modern hosts use privacy extensions (RFC 8981) or stable addresses (RFC 7217) instead of EUI-64.
• DHCPv6 Stateful (M-flag = 1) assigns addresses centrally using a SOLICIT/ADVERTISE/REQUEST/REPLY exchange on UDP ports 546 (client) and 547 (server), identifying clients by DUID rather than MAC address.
• DHCPv6 Stateless (O-flag = 1) supplements SLAAC by providing additional configuration like DNS without assigning addresses.
• DAD ensures address uniqueness on the local link before a host begins using any IPv6 address, sending an NS from the unspecified address (::).

To continue building your IPv6 skills, explore topics such as IPv6 extension header security, first-hop security features like RA Guard and DHCPv6 Guard, and IPv6 ACL configuration on Cisco devices.