Overview of DHCPv6 Guard

DHCPv6 Guard is a security mechanism used to protect the DHCPv6 environment from malicious DHCPv6 servers or intermediate devices that adversely affect DHCPv6 clients. It ensures the security and reliability of DHCPv6 services by detecting and blocking unauthorized DHCPv6 traffic.

DHCPv6 Guard works in the following ways:

• Flow measurement: Monitor DHCPv6 traffic on the network, including communication between DHCPv6 servers and clients.

• Authorization verification: Check whether the DHCPv6 traffic is sent from an authorized DHCPv6 server. You can check the source address, the DUID (DHCPv6 Unique Identifier), or other relevant fields of the DHCPv6 message.

• Blocking traffic: If traffic is detected from an unauthorized DHCPv6 server, DHCPv6 Guard blocks it to ensure that the DHCPv6 client does not receive configuration information.

Characteristics

• Security: By blocking unauthorized DHCPv6 traffic, DHCPv6 Guard improves the security of DHCPv6 environment and reduces potential security risks.

• Reliability: DHCPv6 Guard improves the reliability of the DHCPv6 service by ensuring that DHCPv6 clients receive configuration information only from authorized DHCPv6 servers.

• Flexibility: DHCPv6 Guard can be configured according to the network environment and security requirements to adapt to different application scenarios

Terminologies

• Policy

"Policy" usually refers to a set of rules defined by a network administrator to control and manage how to handle DHCPv6 traffic on the network through DHCPv6 Guard. These policies determine which DHCPv6 servers are considered legitimate while blocking illegal or unauthorized DHCPv6 server activities.

•   IA-Prefix

“IA-Prefix” is one of the Identity Association (IA) types in DHCPv6 and is used for prefix delegation. Prefix delegation allows a DHCPv6 client to request one or more IPv6 prefixes from a DHCPv6 server to assign IPv6 addresses with these prefixes on the client's subnet.

IA-Prefix Unique Identity Association Identifier (IAID) is an identifier used to distinguish different IAs, generated by the client and sent to the server in a DHCPv6 message. In addition to IAID, IA-Prefix includes parameters such as the length of the requested prefix, T1 and T2 times (for prefix renewal and rebinding).

When the DHCPv6 client needs to assign an IPv6 address to its subnet, it sends a DHCPv6 request message to the DHCPv6 server with the IA-Prefix option. After receiving the request, the server assigns one or more IPv6 prefixes to the client based on its configuration and policies, and sends these information to the client in the DHCPv6 reply message. After receiving the prefixes, the client can use these prefixes to assign IPv6 addresses to other devices on its sub-network.

• Preference

“Preference” indicates the relative priority of the DHCPv6 server. When a DHCPv6 client selects a DHCPv6 server among multiple servers, it evaluates the preference values. A server with a higher preference value is the preferred choice.

The preference value is usually an integer, and its range can vary from implementation to implementation. In some implementations, a larger number represents a higher priority, while in others the opposite may be true. If the preference value is not explicitly set, the DHCPv6 server may use the default value, which may vary from implementation to implementation.

The working principle is as follows:

When a DHCPv6 client starts, it sends Solicit message to request available DHCPv6 servers. Multiple DHCPv6 servers may respond with an Advertise message containing their configuration information and preference values. The DHCPv6 client selects the server with the highest priority based on their preference value from responding servers. With the server selected, the DHCPv6 client will send a Request message with the IP address and other configuration information. The selected DHCPv6 server responds by sending a Reply message containing the IP address assigned to the client and other configuration parameters.

• Device-role

"Device-role" refers to the functional positioning of network devices in DHCPv6 protocol interactions. The DHCPv6 Guard mechanism involves two main device roles:

1. DHCPv6 Server: The DHCPv6 server responds to client address requests and provides IPv6 addresses, prefixes, and other network configuration parameters. In a DHCPv6 Guard environment, legitimate DHCPv6 servers are clearly identified by the network administrator so that the Guard mechanism can distinguish between legitimate servers and potentially malicious servers.

2. DHCPv6 Client: The DHCPv6 client is a device that requests for IPv6 addresses and network configuration information. A client initiates the DHCPv6 process by sending Solicit message and then receives an Advertise or Reply message from a legitimate DHCPv6 server.

• Trust-port

"Trust-port" refers to a port on a network device that is clearly marked to connect to a legitimate DHCPv6 server. If a port is set to Trust-port, all DHCPv6 Advertise and Reply packets received by the port are regarded as legitimate and reliable. The DHCPv6 Guard allows these messages to be forwarded to corresponding clients.

Functional Procedure

IPv6 Address/Prefix Assignment Process

Figure 1. The distribution process of four exchanged messages

Open

The DHCPv6 protocol is used to assign IPv6 addresses to users in a stateful manner, which involves four basic packets, as shown in the figure above.

• Solicit packet: Corresponding to the Discover packet of DHCPv4. The initial request sent by the client to determine the location of the DHCPv6 server. The source port is UDP port 546 and the destination port is 547.

• Advertise packet: Corresponding to the Offer packet of DHCPv4. The response sent by the server declares that it can provide DHCPv6 services and contain an IPv6 address or other configuration information that can be assigned to the client.

• Request packet: Corresponding to the Request packet of DHCPv4. If the client accepts the information provided by the server, it sends this message to request a specific IPv6 address or configuration information.

• Reply packet: Corresponding to the ACK packet of DHCPv4. The final response sent by the server to inform the client that the requested IPv6 address or other configuration information has been assigned.

Matching Rules for DHCPv6 Guard

After receiving DHCPv6 packets, the DHCPv6 Guard processes the packets according to the packet type and port role.

• DHCPv6 request packets: forwarded directly.

• DHCPv6 reply packets: processed according to the port role.

To ensure the proper functioning of the DHCPv6 Guard feature on network devices, especially when a compliant DHCPv6 server is interfaced, you must designate the device's role within the DHCPv6 Guard policy as a DHCPv6 server. Upon receipt of DHCPv6 response packets, either through a server-bound interface or across a VLAN, the DHCPv6 Guard capability of facilitating packet filtration predicated on these established policies:

• For Advertise messages: The DHCPv6 Guard screens and discards any inappropriate response packets originating from the DHCPv6 server, utilizing Access Control List (ACL) rules for validation. Additionally, responses from the DHCPv6 server that fail to meet predefined priority criteria can also be filtered out.

• For Reply messages: The DHCPv6 Guard filters DHCPv6 Reply packets that contain unauthorized addresses or prefixes through Access Control List (ACL) rules. This ensures that only valid and authorized network configurations are distributed to requesting devices, enhancing network security and stability.

In essence, the DHCPv6 Guard policy implements fine-grained control over DHCPv6 traffic, enabling administrator to maintain a secure and managed network environment by selectively permitting or blocking DHCPv6 packets based on server legitimacy and adherence to configured policies.

The DHCPv6 reply packet can be forwarded to the DHCPv6 client only after passing all DHCPv6 Guard policy checks.