IPv6 Security

Prefix Delegation Threats 115between the DHCPv6 relay agent and server. Separate IPsec configurations could be usedto secure these communications.DHCPv6 can provide a prefix to a device in addition to providing individual IPv6 addressesto hosts on a LAN. This is an extension to the DHCPv6 specification called DHCPv6 PrefixDelegation (DHCPv6-PD). The client device acts as a DHCPv6 client, and the DHCPv6delegating router acts like the DHCPv6 server. It is relatively simple to have one router bea DHCP server for other access routers. The delegating router can be preconfigured with apool of addresses that prefixes will be allocated from. The client router configuration isequally simple.NOTEDeploying IPv6 Networks, by Ciprian Popoviciu, Eric Levy-Abegnoli, and PatrickGrossetete (Cisco Press, 2006), offers good examples of DHCPv6-PD in Chapter 3.Example 3-10 shows what a delegating router configuration might look like. The DHCPv6configuration on the router is tied to a specific interface. A pool is created that defines theblock of addresses to allocate from and the prefix length to give to the client. In this case,/48 blocks are delegated to the clients out of a /40 pool. A DHCPv6 pool is created andassigned to an interface.Example 3-10 Delegating Router Configurationhostname R1!ipv6 unicast-routingipv6 dhcp pool CUSTPOOLprefix-delegation pool PREFIXdns-server 2001:DB8:1::1!interface FastEthernet1/0description Link to customers for DHCP prefix delegationno ip addressipv6 address 2001:DB8::1/64ipv6 dhcp server CUSTPOOL!ipv6 local pool PREFIX 2001:DB8:FF00::/40 48The configuration of the DHCPv6 client is simple. Example 3-11 shows that DHCPv6-PDis tied to an interface and the allocated prefix is assigned to a general prefix variable. RouterR2 is connected to R1 with interface Fast Ethernet 1/0. This general prefix variable can beused on other downstream interfaces.