Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SLAAC versus DHCPv6

    Scheduled Pinned Locked Moved IPv6
    40 Posts 9 Posters 12.6k Views 10 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      ronv42
      last edited by

      I think the real issue is that for consumers SLAAC was supposed to make provisioning of single segment home networks "just work". But then ISP's being the center of all control didn't follow the outlined best practice that a /54 or /60 is the base prefix and allowing the IPv6 addresses to be "persistent". Too many ISP's only will issue a /64 for one segment, expire the address every 24 hours forcing the network and devices to re-address each time.

      If things were different, I would have engineered IPv6 internet where I pay per year for a block of IPv6 addresses /54 and that would be portable to any ISP and the ISP just becomes a pipe. The ISP shouldn't have the power to revoke address's based on a policy that blows in the wind.

      One the client side there would be only two rules SLAAC or DHCPv6 assisted by SLAAC for router and DNS information for static addressing.

      P 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @keyser
        last edited by

        @keyser said in SLAAC versus DHCPv6:

        It’s a pita that they cock’ed up IPv6 so much.

        No. It was Google that didn't enable DHCPv6 on Android or Chrome devices.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        keyserK 1 Reply Last reply Reply Quote 0
        • keyserK Offline
          keyser Rebel Alliance @JKnott
          last edited by

          @JKnott said in SLAAC versus DHCPv6:

          No. It was Google that didn't enable DHCPv6 on Android or Chrome devices.

          It’s a little more complicated than that - I have yet to successfully directly attach pfSense to an ISP and have IPv6 working (tried 4 different ISPs that all “supports” IPv6 now). If you set it up behind the ISPs router where they have made sure basic Windows/Linux clients work, then pfSense will also work. But anything directly linked to the ISP fiber/bridgemode box is a PITA to get IPv6 working properly.

          The problems comes from the MILLIONS of options both the SLAAC and the DHCP 6 proces offers, and if the client does not send the right parameters, use the correct intervals or accepts persistence, something/everything IPv6 related stops working.
          On top of that the DHCP6c Client in pfSense doesn’t support many of the DHCPv6 options that I have seen ISP’s require to get IPv6 going - Or it doesn’t support the specific combo of settings/intervals needed to keep it going after the intial lease is accepted.

          Granted - this is mainly the ISPs that are cock’ing up things, but the fact that it CAN require so much special config with very specific settings and configurations to get basic DHCPv6 going just shows it’s not matured yet (or standardized properly)

          Love the no fuss of using the official appliances :-)

          E 1 Reply Last reply Reply Quote 0
          • P Offline
            Patch @ronv42
            last edited by Patch

            @ronv42 said in SLAAC versus DHCPv6:

            Too many ISP's only will issue a /64 for one segment, expire the address every 24 hours forcing the network and devices to re-address each time.

            If things were different, I would have engineered IPv6 internet where I pay per year for a block of IPv6 addresses /54

            You are describing the difference between a static and dynamic IP address.

            • Static is better for a public or at least internet accessible server (dynamic Domain name not required)

            • Dynamic is better for user privacy (IP with mask shows ISP user has used to access internet rather than which user internet account was used).

            JKnottJ 1 Reply Last reply Reply Quote 1
            • JKnottJ Offline
              JKnott @Patch
              last edited by

              @Patch said in SLAAC versus DHCPv6:

              You are describing the difference between a static and dynamic IP address.

              If the ISP honours the DUID the prefix should be essentially static. I've had the same prefix for well over 5 years. That's "static" enough for me. 😉

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              P R 2 Replies Last reply Reply Quote 0
              • P Offline
                Patch @JKnott
                last edited by

                @JKnott
                Not sure why that was addressed to me. I was describing the different use case for static and dynamic IP, not how to get a static IP.

                JKnottJ 1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @Patch
                  last edited by

                  @Patch

                  Well, I did respond to your post. However, the last line about dynamic is better for privacy is wrong. With SLAAC you get up to 7 privacy addresses, based on a random number. You get a new one every day, with the oldest falling off the list. The most recent is the address used for outgoing connections. The consistent address, which can be based on either the MAC address or a random number, can be used for things like VPN access to your network. Unless the DHCPv6 address changes every day, it's actually worse for privacy.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  P 1 Reply Last reply Reply Quote 0
                  • R Offline
                    ronv42 @JKnott
                    last edited by

                    @JKnott I don't know if you have Comcast or not. I am fighting them for a site I just hooked up in Northbrook, Illinois. Every 24 hours they re-allocate the darn IPv6. They are handing out a /60 but it's a PITA I will be removing their Xfinity gateway and going with a vanilla cable modem and seeing if this gets rid of the IP address swaps they are doing. Comcast plays so many games to upsell features you will never use though their crappy gateway to get a discount.

                    JKnottJ 1 Reply Last reply Reply Quote 0
                    • JKnottJ Offline
                      JKnott @ronv42
                      last edited by

                      @ronv42

                      I'm on Rogers and they use the same equipment as Comcast. However, there is a setting in pfSense that may affect this. It's System / Advanced / Networking / Do not allow PD/Address release. If that's not selected, the prefix will change frequently.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 1
                      • P Offline
                        Patch @JKnott
                        last edited by Patch

                        @JKnott said in SLAAC versus DHCPv6:

                        line about dynamic is better for privacy is wrong. With SLAAC you get up to 7 privacy addresses, based on a random number.

                        they are all in the same range provided by the ISP, readily revealed by masking the address of any one of these addresses.

                        • A dynamic ISP address range publishes which ISP the user is connected to the internet by
                        • A static ISP address publishes your personal address range

                        Then if one of the devices on your network has location services enabled for "Network & Wireless" or through your browser then the "privacy" addresses have your street address encoded in every internet communication.

                        Recording addresses over time is likely to reveal what the 7 "private" addresses are for each device.

                        So a static IP address range is not really very private at all in my opinion.

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • JKnottJ Offline
                          JKnott @Patch
                          last edited by JKnott

                          @Patch said in SLAAC versus DHCPv6:

                          they are all in the same range provided by the ISP, readily revealed by masking the address of any one of these addresses.

                          A dynamic ISP address range publishes which ISP the user is connected to the internet by
                          A static ISP address publishes your personal address range
                          recording addresses over time is likely to reveal what the 7 "private" addresses are for each device

                          My WAN address is provided by DHCPv6, along with my prefix. It makes no difference whether I use SLAAC or DHCPv6 on my LAN, with regard to my prefix. It will be the same either way. The only issue is whether the ISP will honour the DUID.

                          One other thing, with the huge address block within a /64, an attacker would have a hard time finding something to attack, even if they knew the prefix. A single /64 contains 18.4 billion, billion addresses. Compare this to a bit over 4 billion for the entire IPv4 address range. Of course there's a firewall called pfSense that goes a long way to keeping attackers out! 😉

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          R P 2 Replies Last reply Reply Quote 0
                          • R Offline
                            ronv42 @JKnott
                            last edited by

                            @JKnott said in SLAAC versus DHCPv6:

                            One other thing, with the huge address block within a /64, an attacker would have a hard time finding something to attack, even if they knew the prefix. A single /64 contains 18.4 billion, billion addresses. Compare this to a bit over 4 billion for the entire IPv4 address range. Of course, there's a firewall called pfSense that goes a long way to keeping attackers out!

                            Now do the math with a /60: 16 x 18.4 billion - There is a reason I never see IPv6 address scans, but I still see port scans once a nefarious site logs your IPv6 they have the basic IP subnet, and it would take forever to scan through all those addresses.

                            JKnottJ 1 Reply Last reply Reply Quote 0
                            • JKnottJ Offline
                              JKnott @ronv42
                              last edited by

                              @ronv42

                              With my /56, it's 256 /64s. Yeah, it would take a while. I mentioned privacy addresses. They have a lifetime of 7 days. After that, they'd have to start over to find another address.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • J Offline
                                Jung-Fernmelder
                                last edited by

                                Here is the guy who started the conversation. Thank you very much for all the information and the discussion. This helps me.

                                Conclusion:
                                Use SLAAC for clients and DHCPv6 for servers.

                                @keyser said in SLAAC versus DHCPv6:

                                is a PITA to get IPv6 working properly

                                +1
                                IPv6 is much more complicated than IPv4. And that's okay. Everybody involved in networking should be able to learn the IPv6 basics.
                                But the ISPs have messed it up, espceially with frequent prefix renewals which are heavy to handle and unnecessary. Three or four IPv6 prefix renewals per year would be enough.

                                JKnottJ 1 Reply Last reply Reply Quote 0
                                • P Offline
                                  Patch @JKnott
                                  last edited by Patch

                                  @JKnott said in SLAAC versus DHCPv6:

                                  It makes no difference whether I use SLAAC or DHCPv6 on my LAN, with regard to my prefix

                                  Correct

                                  @JKnott said in SLAAC versus DHCPv6:

                                  One other thing, with the huge address block within a /64, an attacker would have a hard time finding something to attack

                                  That is not an address privacy issue, but it maybe part of a network servers exposure to the internet. Network protection by obfuscation is not really a good approach, as it fails repidly if someone takes the time to look especially if they can get a hint were to look from another source (human engineering, traffic monitoring etc). Direct protection using a decent firewall is far better.

                                  @JKnott said in SLAAC versus DHCPv6:

                                  With SLAAC you get up to 7 privacy addresses, based on a random number.

                                  As I have tried to explain, 7 networks addresses is a tiny number and everyone of these addresses has the same prefix.

                                  • If your ISP is giving you a static prefix, the the prefix will almost certainly encode / reveal your street address every time you make an internet connection from any device on your local network. My interpretation of which is the "SLAAC Privacy addresses" you are using maybe making you feel you have achieved something but they actually provide almost no privacy functionality.

                                  • If your ISP is giving you a dynamic prefix, the prefix will encode / reveal what ISP you are using but not which service or your street address. If you then add some randomisation of the lower order bits for each device you may achieved some privacy (not as much as a VPN or routing randomisation Tor tries to achieve).

                                  @Jung-Fernmelder said in SLAAC versus DHCPv6:

                                  ISPs have messed it up, espceially with frequent prefix renewals which are heavy to handle and unnecessary.

                                  They are offering some internet privacy to those user who like some privacy. If you don't value privacy then perusing the options for a static IP address would be appropriate for you.

                                  1 Reply Last reply Reply Quote 0
                                  • E Offline
                                    eagle61 @keyser
                                    last edited by

                                    @keyser said in SLAAC versus DHCPv6:

                                    is a PITA to get IPv6 working properly

                                    Well could you, or someone else, explain for non native english speakers what "PITA" in this context means. If i g00gle it i just learn what i already know, PITA is nice greek food. But for sure you don't talk about nice greek food but more about something like a pain ;-)

                                    keyserK 1 Reply Last reply Reply Quote 0
                                    • keyserK Offline
                                      keyser Rebel Alliance @eagle61
                                      last edited by

                                      @eagle61 said in SLAAC versus DHCPv6:

                                      @keyser said in SLAAC versus DHCPv6:

                                      is a PITA to get IPv6 working properly

                                      Well could you, or someone else, explain for non native english speakers what "PITA" in this context means. If i g00gle it i just learn what i already know, PITA is nice greek food. But for sure you don't talk about nice greek food but more about something like a pain ;-)

                                      😂 PITA = Pain In The As*

                                      Love the no fuss of using the official appliances :-)

                                      E 1 Reply Last reply Reply Quote 0
                                      • E Offline
                                        eagle61 @keyser
                                        last edited by

                                        @keyser said in SLAAC versus DHCPv6:

                                        PITA = Pain In The As*

                                        Thanks very much. And yes food also may some times result in PITA, but more likely not greek food, but maybe very spicy food from India or other south east Asia countries ;-)

                                        I know its off topic - sorry for that.

                                        1 Reply Last reply Reply Quote 0
                                        • J Offline
                                          Jung-Fernmelder
                                          last edited by

                                          I also had to google the abbreviation PITA.

                                          @Patch said in SLAAC versus DHCPv6:

                                          They are offering some internet privacy to those user who like some privacy.

                                          It makes sense that frequent changing prefixes improves privacy. A static or seldom changing prefix is like a static or seldom changing IPv4 adress - anyone can recognize somebody as a user of a specific line. Since typically not more than five ´people share one private internet access subscription there are few doubts about the users identity.

                                          JKnottJ 1 Reply Last reply Reply Quote 1
                                          • JKnottJ Offline
                                            JKnott @Jung-Fernmelder
                                            last edited by

                                            @Jung-Fernmelder said in SLAAC versus DHCPv6:

                                            IPv6 is much more complicated than IPv4. And that's okay. Everybody involved in networking should be able to learn the IPv6 basics.

                                            Well, I've been running IPv6 on my home network for over 14 years. Haven't had a problem with it. It works fine. Most of the basics are the same or similar to IPv4. However, there are some significant changes in things like ICMP, no more ARP or broadcasts etc..

                                            PfSense running on Qotom mini PC
                                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                            UniFi AC-Lite access point

                                            I haven't lost my mind. It's around here...somewhere...

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.