Version 4.1 - 1.1 Network Addressing Basics Part 4
Let's start this section with DHCP. A more complete discussion of DHCP will be in section 3.4, but this part will discuss the IPv6 addresses derived through stateful and stateless configuration. Cisco's Guide for Implementing DHCP for IPv6 thoroughly covers the topic. Stateful address configuration uses a DHCP server to manage address assignment. Stateless configuration does not manage the address assignment. Router Advertisements can be used by the node to determine the prefix and the node uses that to determine the complete address. Another blog that addresses this topic is The Network Way . Note that SLAAC (Stateless Address Auto Configuration) may be a term you might see somewhere. It just means it uses RAs and the EUI-64 format to create an IPv6 address for itself. [No DHCPv6 server involved.] However, stateless addressing also includes using SLAAC to get an address and the DHCPv6 server to get other options (DNS, NTP, etc.). So both stateful and stateless addresses can use a DHCPv6 server (depending on your network design).
In case you need a refresher on the way a 48 bit MAC address gets converted to a 64 bit EUI, refer to the graphic below. This 64 bit EUI address gets tacked on the end of the 64 bit prefix to produce the 128 bit IPv6 address.
There are also IPv4-compatible IPv6 addresses. These addresses have the format of 0:0:0:0:0:0:A.B.C.D or ::A.B.C.D. The high-order 96 bits are zeros and the low-order 32 bits are the IPv4 address. Note that the latter part is in dotted decimal format. And also notice that there are more characters than you usually find in an IPv6 address. But it's still 128 bits. A.B.C.D only accounts for 32 bits (the 32 bit IPv4 address). That's only 8 characters of a "regular" IPv6 address. Easy to be fooled by looking at this quickly during an exam.
Let's not forget the IPv6 cryptographically generated addresses (CGA). This is addressed in RFC 3972 and associates a public key with an IP address in the SEND (Secure Neighbor Discovery) protocol. I don't see SEND listed in the blueprint, but it would actually be fair game on the exam. Basically, a hash of the public key (along with some other input) is used to create the 64 bit host portion of the IPv6 address. This is supposed to prevent spoofing of IPv6 addresses. Now if you're paying close attention, you will think - how does that prevent spoofing? First of all, the purpose of a public key is that it is public (everyone can obtain it). And once it's calculated and used - well, just use what was calculated by the original node and spoof it. Read the RFC and look closer into SEND. The CGA is just a part of this. Once the CGA is calculated and used, _signed_ messages (which can only be signed using the private key) are used in the protocol. So you look at the signed message and the CGA and if it's off, the address is being spoofed. The RFC also acknowledges that an attacker could take a CGA address and use it as a non-CGA address. SEND nodes accept both signed and unsigned messages from every address. However, the attacker would not get much benefit from it since SEND nodes give priority to signed messages.
The last two addresses are somewhat related. And they both deal with IPv6 tunnels. Without going into tunnel types (covered in 1.6.c), I would like to note the addresses in this section. These are ISATAP and 6to4 addresses. Both of them are similar in that they use the IPv4 address converted to hex within their IPv6 address. These are different than the IPv4 compatible addresses which use a decimal portion within the IPv6 address. These two types actually use an all hex IPv6 address. So the first thing you have to do is take the IPv4 address and convert those 32 bits of decimal to 32 bits of hex. If you ever have to do this, use binary as the intermediate step.
The ISATAP address is covered in the Cisco Documentation in Table 3 on the ISATAP tunnel documentation. The first 64 bits are the link local or global prefix. The next 32 bits are 0000:5EFE and the last 32 bits are the hex equivalent (as noted above) of the IPv4 address. Cisco's example is : 2001:DB8:1234:5678:0000:5EFE:0AAD:8108 for a global address. The 0AAD:8108 represents the converted (embedded) IPv4 address of 10.173.129.8 in their example.
The 6to4 addresses are covered in the Cisco Documentation on 6to4 Tunnels. This documentation is not as detailed as the ISATAP link above. However, the main point is that the 6to4 address is created by using the prefix 2002::/16 and tacking on the 32 bits of the converted-to-hex IPv4 address to get a 2002:XXXX:XXXX::/48 address. [X represents the hex equivalent 32 bits] So for the example address above, you would use 2002:0AAD:8108::/48 for the 6to4 address.
So think about this. Both of these are similar in that they use the converted address (which can be converted back when on the IPv4 network). But the ISATAP addressing puts this in the HOST portion whereas the 6to4 addressing puts it in the NETWORK portion. Think about IPv4 addresses and subnet masks. If you take two addresses : 14.12.221.38/24 and 14.12.221.110/24 - in IPv4 they are on the same subnet and would not have problems routing between them. When you put the embedded IPv4 address in the network portion of the converted address, they are on different IPv6 networks. This may be tricky to resolve. But when you put the converted address in the host portion (like in ISATAP), they are on the same network (because the first 64 bits are the prefix).
And this is the end of Part 4. The last part of this section is related to one last thing that I want to mention about IPv6. It's not really addressing, but I don't see it explicitly covered in the blueprint. This is the difference between an IPv4 header and an IPv6 header. As you go through your reference materials, note diagrams like these. Read your books with an eye towards the creation of exam questions. Diagrams and tables make for excellent drag-and-drop questions. Anything with specific steps (like a process) is also something that could be a drag-and-drop question.
Remember that this is the CCIE Written exam. From my experience you will find:
1) True | False questions
2) Pick the best answer (multiple choice - single answer)
3) Pick all that apply (multiple choice - multiple answer)
4) Drag and drop
Unlike the lower level certifications, there are no simulations. The "hands-on" portion will be in the 8 hour lab. So why would they bother to develop any kind of simulation? You will prove that part out later. So this is mainly a test of knowledge and applied theory. And I'm not sure if it was my perception, the adaptive nature of the test, or if they are substituting drag-and-drop for simulations to "toughen" the test. But I felt there were a LOT of those type of questions. This time I want to be ready for them.