Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SLAAC versus DHCPv6

    Scheduled Pinned Locked Moved IPv6
    40 Posts 9 Posters 12.6k Views 10 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott @ronv42
      last edited by

      @ronv42

      I'm on Rogers and they use the same equipment as Comcast. However, there is a setting in pfSense that may affect this. It's System / Advanced / Networking / Do not allow PD/Address release. If that's not selected, the prefix will change frequently.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 1
      • P Offline
        Patch @JKnott
        last edited by Patch

        @JKnott said in SLAAC versus DHCPv6:

        line about dynamic is better for privacy is wrong. With SLAAC you get up to 7 privacy addresses, based on a random number.

        they are all in the same range provided by the ISP, readily revealed by masking the address of any one of these addresses.

        • A dynamic ISP address range publishes which ISP the user is connected to the internet by
        • A static ISP address publishes your personal address range

        Then if one of the devices on your network has location services enabled for "Network & Wireless" or through your browser then the "privacy" addresses have your street address encoded in every internet communication.

        Recording addresses over time is likely to reveal what the 7 "private" addresses are for each device.

        So a static IP address range is not really very private at all in my opinion.

        JKnottJ 1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @Patch
          last edited by JKnott

          @Patch said in SLAAC versus DHCPv6:

          they are all in the same range provided by the ISP, readily revealed by masking the address of any one of these addresses.

          A dynamic ISP address range publishes which ISP the user is connected to the internet by
          A static ISP address publishes your personal address range
          recording addresses over time is likely to reveal what the 7 "private" addresses are for each device

          My WAN address is provided by DHCPv6, along with my prefix. It makes no difference whether I use SLAAC or DHCPv6 on my LAN, with regard to my prefix. It will be the same either way. The only issue is whether the ISP will honour the DUID.

          One other thing, with the huge address block within a /64, an attacker would have a hard time finding something to attack, even if they knew the prefix. A single /64 contains 18.4 billion, billion addresses. Compare this to a bit over 4 billion for the entire IPv4 address range. Of course there's a firewall called pfSense that goes a long way to keeping attackers out! šŸ˜‰

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          R P 2 Replies Last reply Reply Quote 0
          • R Offline
            ronv42 @JKnott
            last edited by

            @JKnott said in SLAAC versus DHCPv6:

            One other thing, with the huge address block within a /64, an attacker would have a hard time finding something to attack, even if they knew the prefix. A single /64 contains 18.4 billion, billion addresses. Compare this to a bit over 4 billion for the entire IPv4 address range. Of course, there's a firewall called pfSense that goes a long way to keeping attackers out!

            Now do the math with a /60: 16 x 18.4 billion - There is a reason I never see IPv6 address scans, but I still see port scans once a nefarious site logs your IPv6 they have the basic IP subnet, and it would take forever to scan through all those addresses.

            JKnottJ 1 Reply Last reply Reply Quote 0
            • JKnottJ Offline
              JKnott @ronv42
              last edited by

              @ronv42

              With my /56, it's 256 /64s. Yeah, it would take a while. I mentioned privacy addresses. They have a lifetime of 7 days. After that, they'd have to start over to find another address.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • J Offline
                Jung-Fernmelder
                last edited by

                Here is the guy who started the conversation. Thank you very much for all the information and the discussion. This helps me.

                Conclusion:
                Use SLAAC for clients and DHCPv6 for servers.

                @keyser said in SLAAC versus DHCPv6:

                is a PITA to get IPv6 working properly

                +1
                IPv6 is much more complicated than IPv4. And that's okay. Everybody involved in networking should be able to learn the IPv6 basics.
                But the ISPs have messed it up, espceially with frequent prefix renewals which are heavy to handle and unnecessary. Three or four IPv6 prefix renewals per year would be enough.

                JKnottJ 1 Reply Last reply Reply Quote 0
                • P Offline
                  Patch @JKnott
                  last edited by Patch

                  @JKnott said in SLAAC versus DHCPv6:

                  It makes no difference whether I use SLAAC or DHCPv6 on my LAN, with regard to my prefix

                  Correct

                  @JKnott said in SLAAC versus DHCPv6:

                  One other thing, with the huge address block within a /64, an attacker would have a hard time finding something to attack

                  That is not an address privacy issue, but it maybe part of a network servers exposure to the internet. Network protection by obfuscation is not really a good approach, as it fails repidly if someone takes the time to look especially if they can get a hint were to look from another source (human engineering, traffic monitoring etc). Direct protection using a decent firewall is far better.

                  @JKnott said in SLAAC versus DHCPv6:

                  With SLAAC you get up to 7 privacy addresses, based on a random number.

                  As I have tried to explain, 7 networks addresses is a tiny number and everyone of these addresses has the same prefix.

                  • If your ISP is giving you a static prefix, the the prefix will almost certainly encode / reveal your street address every time you make an internet connection from any device on your local network. My interpretation of which is the "SLAAC Privacy addresses" you are using maybe making you feel you have achieved something but they actually provide almost no privacy functionality.

                  • If your ISP is giving you a dynamic prefix, the prefix will encode / reveal what ISP you are using but not which service or your street address. If you then add some randomisation of the lower order bits for each device you may achieved some privacy (not as much as a VPN or routing randomisation Tor tries to achieve).

                  @Jung-Fernmelder said in SLAAC versus DHCPv6:

                  ISPs have messed it up, espceially with frequent prefix renewals which are heavy to handle and unnecessary.

                  They are offering some internet privacy to those user who like some privacy. If you don't value privacy then perusing the options for a static IP address would be appropriate for you.

                  1 Reply Last reply Reply Quote 0
                  • E Offline
                    eagle61 @keyser
                    last edited by

                    @keyser said in SLAAC versus DHCPv6:

                    is a PITA to get IPv6 working properly

                    Well could you, or someone else, explain for non native english speakers what "PITA" in this context means. If i g00gle it i just learn what i already know, PITA is nice greek food. But for sure you don't talk about nice greek food but more about something like a pain ;-)

                    keyserK 1 Reply Last reply Reply Quote 0
                    • keyserK Offline
                      keyser Rebel Alliance @eagle61
                      last edited by

                      @eagle61 said in SLAAC versus DHCPv6:

                      @keyser said in SLAAC versus DHCPv6:

                      is a PITA to get IPv6 working properly

                      Well could you, or someone else, explain for non native english speakers what "PITA" in this context means. If i g00gle it i just learn what i already know, PITA is nice greek food. But for sure you don't talk about nice greek food but more about something like a pain ;-)

                      šŸ˜‚ PITA = Pain In The As*

                      Love the no fuss of using the official appliances :-)

                      E 1 Reply Last reply Reply Quote 0
                      • E Offline
                        eagle61 @keyser
                        last edited by

                        @keyser said in SLAAC versus DHCPv6:

                        PITA = Pain In The As*

                        Thanks very much. And yes food also may some times result in PITA, but more likely not greek food, but maybe very spicy food from India or other south east Asia countries ;-)

                        I know its off topic - sorry for that.

                        1 Reply Last reply Reply Quote 0
                        • J Offline
                          Jung-Fernmelder
                          last edited by

                          I also had to google the abbreviation PITA.

                          @Patch said in SLAAC versus DHCPv6:

                          They are offering some internet privacy to those user who like some privacy.

                          It makes sense that frequent changing prefixes improves privacy. A static or seldom changing prefix is like a static or seldom changing IPv4 adress - anyone can recognize somebody as a user of a specific line. Since typically not more than five “people share one private internet access subscription there are few doubts about the users identity.

                          JKnottJ 1 Reply Last reply Reply Quote 1
                          • JKnottJ Offline
                            JKnott @Jung-Fernmelder
                            last edited by

                            @Jung-Fernmelder said in SLAAC versus DHCPv6:

                            IPv6 is much more complicated than IPv4. And that's okay. Everybody involved in networking should be able to learn the IPv6 basics.

                            Well, I've been running IPv6 on my home network for over 14 years. Haven't had a problem with it. It works fine. Most of the basics are the same or similar to IPv4. However, there are some significant changes in things like ICMP, no more ARP or broadcasts etc..

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • JKnottJ Offline
                              JKnott @Jung-Fernmelder
                              last edited by

                              @Jung-Fernmelder

                              Unless an ISP provides a consistent host name, changing the prefix will make it impossible to have a VPN to that network, just like with IPv4.

                              Here's a comparison. My ISP provides a /56 prefix and both IPv4 and IPv6 hostnames are tied to the modem and firewall MAC addresses. Even if my addresses change, I can still use the host name. On the other hand, a friend is on Bell Canada. First off, they don't provide IPv6 at all. Also, the IPv4 address changes frequently and the host name with it. This means to access a server he has on his network, he has to use dynamic DNS and that sometimes fails. Which would you rather have? Also, if I want to have my prefix change, it's a simple matter of a single check box in pfSense to let that happen.

                              As for servers, if you want others to access them, you have to have a DNS record for it on a public DNS. In this regard, it makes absolutely no difference whether you use SLAAC or DHCPv6 on the local LAN.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              J E 2 Replies Last reply Reply Quote 0
                              • J Offline
                                Jung-Fernmelder @JKnott
                                last edited by Jung-Fernmelder

                                @JKnott said in SLAAC versus DHCPv6:

                                As for servers, if you want others to access them, you have to have a DNS record for it on a public DNS.

                                +1
                                Applying static IP adresses, both IPv4 and IPv6, combined with normal DNS records is the only professional way to make servers accessible to the public.
                                But subscribing a static IPv4 adress and a static IPv6 prefix costs money. A VPS hosted in a data center may be cheaper. Or craft a homebrew solution with DynDNS for non-critical scenarios or the private IT playground.

                                @JKnott said in SLAAC versus DHCPv6:

                                it makes absolutely no difference whether you use SLAAC or DHCPv6 on the local LAN

                                It makes a different: If you use DHCPv6 only Android clients wont't have IPv6 connectivity because Android doesn't support DHCPv6.

                                Edit note 2024-09-03 14:12 UTC: Forgotten blank line added.

                                JKnottJ 1 Reply Last reply Reply Quote 0
                                • E Offline
                                  eagle61 @JKnott
                                  last edited by

                                  @JKnott said in SLAAC versus DHCPv6:

                                  Unless an ISP provides a consistent host name, changing the prefix will make it impossible to have a VPN to that network, just like with IPv4.

                                  Well my ISP changes prefix every 24 hours. Still i use VPN to that network, just like with IPv4. I use a free of charge DynDNS-Provider to fix that.

                                  JKnottJ 1 Reply Last reply Reply Quote 1
                                  • JKnottJ Offline
                                    JKnott @Jung-Fernmelder
                                    last edited by

                                    @Jung-Fernmelder said in SLAAC versus DHCPv6:

                                    Applying static IP adresses, both IPv4 and IPv6, combined with normal DNS records is the only professional way to make servers accessible to the public.

                                    I use a public DNS for my addresses. However, I'm the only one that uses it.

                                    It makes a different: If you use DHCPv6 only Android clients wont't have IPv6 connectivity because Android doesn't support DHCPv6.

                                    Are we talking about the WAN side or LAN. You seem to be confused. On the WAN side there's usually no option, it's DHCPv6. On the LAN side, where you'll find Android clients, you can choose SLAAC or DHCPv6. What's on the WAN side has absolutely no effect on what you use on the LAN side.

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    1 Reply Last reply Reply Quote 0
                                    • JKnottJ Offline
                                      JKnott @eagle61
                                      last edited by

                                      @eagle61 said in SLAAC versus DHCPv6:

                                      Well my ISP changes prefix every 24 hours. Still i use VPN to that network, just like with IPv4. I use a free of charge DynDNS-Provider to fix that.

                                      I have never had to use dynamic DNS as my ISP provides consistent host names. I create an alias on a public DNS that points to my WAN host name. On the other hand, a friend has to use it, as his host name changes with the address change, but sometimes it fails.

                                      BTW, I hate all the hacks some people think are normal. DynDNS is one but NAT is the big one, because it breaks things, where we need another hack, STUN etc. Please, Please, PLEASE learn how the Internet gods intended things to work, instead of using all these hacks!

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      E 1 Reply Last reply Reply Quote 0
                                      • E Offline
                                        eagle61 @JKnott
                                        last edited by

                                        @JKnott said in SLAAC versus DHCPv6:

                                        BTW, I hate all the hacks some people think are normal. DynDNS is one but NAT is the big one, because it breaks things, where we need another hack, STUN etc. Please, Please, PLEASE learn how the Internet gods intended things to work, instead of using all these hacks!

                                        With IPv6 is no NAT needed.
                                        If the ISP forces every night a reconnect, the IPv4- and IPv6-Adress/Prefix will change. Forcing a reconnect every night is very common and done by most ISP's here in the country i live for private customer contracts. If someone do not want that, only solution is a business customer contract with the ISP, what is significantly more expensive.
                                        So its less a question of wanna "learn how the Internet gods intended things to work" or not but of deal with the facts the ISP is defining.

                                        JKnottJ 1 Reply Last reply Reply Quote 0
                                        • JKnottJ Offline
                                          JKnott @eagle61
                                          last edited by

                                          @eagle61 said in SLAAC versus DHCPv6:

                                          If the ISP forces every night a reconnect, the IPv4- and IPv6-Adress/Prefix will change. Forcing a reconnect every night is very common and done by most ISP's here in the country i live for private customer contracts.

                                          Why should that be the case? If I want my prefix to change, I can change a setting to allow that. I've had the same prefix for over 5 years and the same IPv4 address & host name since the last time I changed my cable modem.

                                          I really don't care if someone knows my prefix as it's virtually impossible for them to find a target and that's before they have to get through my pfSense firewall. On the other hand, finding a target on IPv4 is trivial, though pfSense is still in the way. The only thing that's allowed through my firewall is OpenVPN.

                                          However, this has nothing to do with using SLAAC vs DHCPv6 on the LAN.

                                          PfSense running on Qotom mini PC
                                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                          UniFi AC-Lite access point

                                          I haven't lost my mind. It's around here...somewhere...

                                          the otherT 1 Reply Last reply Reply Quote 0
                                          • the otherT Offline
                                            the other @JKnott
                                            last edited by

                                            @JKnott I cannot answer your question "why?"... :)
                                            But I can report that here in Germany ISPs I know do that as well. Maybe not every 24 hours, but often enough that using those prefixes breaks everything after a change. So: don't know why they still do it (I guess it's just another dumb implementation of v6 as seen so often), but they do it anyways....
                                            That's why I use those global prefixes that change thanx to my German ISP as well as my "own"(not changing) unique locals....for rules and such.
                                            It's depressing but that how some big players really make it tedious to use v6 in my opinion...

                                            the other

                                            pure amateur home user, no business or professional background
                                            please excuse poor english skills and typpoz :)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.