IPv6 Address Configuration and Name Resolution - SITPUG

Joe Davies
Principal Writer
Windows Server Information Experience
Presented at:
Seattle Windows Networking User Group
June 1, 2011
© 2011 Microsoft Corporation

IPv6 addressing and DNS review
IPv6 subnetting and address allocation
Stateful vs. stateless address
autoconfiguration
◦ Routers vs. DHCPv6 servers
DNS servers and name resolution
◦ Registration of AAAA records
◦ DNS traffic over IPv6
◦ Source and destination address selection

What are IPv6 addresses
again?

IPv6 address in binary form
0010000000000001000011011011100000000000000000000010111100111011
0000001010101010000000001111111111111110001010001001110001011010
Divide along 16-bit boundaries
0010000000000001 0000110110111000 0000000000000000 0010111100111011
0000001010101010 0000000011111111 1111111000101000 1001110001011010
Convert each 16-bit block to hexadecimal
and delimit with colons
◦ 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
Suppress leading zeros within each block
◦ 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

A single contiguous sequence of 16-bit
blocks set to 0 can be compressed to “::”
(double-colon)
Example:
◦ FE80:0:0:0:2AA:FF:FE9A:4CA2 becomes
FE80::2AA:FF:FE9A:4CA2
◦ FF02:0:0:0:0:0:0:2 becomes FF02::2
◦ 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A becomes
2001:DB8::2F3B:2AA:FF:FE28:9C5A

Express routes, address spaces, or address
ranges
IPv6 always uses address/prefix-length
notation
◦ Similar to CIDR notation
Examples
◦ 2001:DB8:0:2F3B::/64 for a subnet prefix
◦ 2001:DB8:3F::/48 for a route prefix

Link-local addresses
Global addresses
Unique local addresses

Address scope is a single link
◦ Equivalent to APIPA IPv4 addresses (169.254/16)
FE80::/64 prefix
Used for:
◦ Single subnet, routerless configurations
◦ Neighbor Discovery processes
64 bits
64 bits
1111 1110 1000 0000 . . . 0000
Interface ID

Address scope is the entire IPv6 Internet
◦ Equivalent to public IPv4 addresses
Structure
◦ Global Routing Prefix
◦ Subnet ID
◦ Interface ID
45 bits
16 bits
64 bits
001 Global Routing Prefix
Subnet ID
Interface ID

Private to an organization, yet unique per
site and per organization
FD00::/8 prefix
40-bit Global ID randomly assigned
◦ Unique 48-bit prefix between sites of an
organization and between organizations
8 bits 40 bits
16 bits
64 bits
1111 1101 Global ID Subnet ID Interface ID

RFC 1886
◦ DNS extensions to support IP version 6
Name to address records
◦ AAAA record type (equivalent to IPv4 A record)
◦ Example record
host1.example.com IN AAAA
2001:db8::1:dd48:ab34:d07c:3914
Address to name records
◦ New reverse domain called IP6.ARPA.
◦ Example record
4.1.9.3.c.7.0.d.4.3.b.a.8.4.d.d.1.0.0.0.0.0.0.0.8.b.d.0.1.0.
0.2.ip6.arpa. IN PTR host1.example.com

DNS clients only register global and uniquelocal
addresses
Windows dynamic update behavior
◦ DNS client
• On the DNS tab of advanced TCP/IP settings
◦ DNS server
• On the General tab of the properties of a zone
• None
• Secure only (default)
• Nonsecure and secure

Domain members
◦ No problem
Non-domain
members
◦ Use DHCP service to
register on the DNS
client’s behalf
◦ DNS tab of the
properties of a DHCP
scope

How do I divide up an IPv6
address prefix?

Using the 16 bits in the Subnet ID portion of the
global or unique local address prefix
Step 1: Determining the number of bits to subnet
◦ Subnetting on nibble (hex digit) boundaries
• 4 hex digits
• Example: Region-Location-Building-Floor
• 2001:DB8:1719:2A3E::/64
• 2 – Region
• A – Location
• 3 – Building
• E - Floor
◦ Subnetting on bit boundaries
Step 2: Enumerating the subnetted address prefixes

f = number of fixed bits
s = number of bits for
subnetting
r = remaining bits
f+s+r=16
f
r
[48-bit prefix]: ::
s

Binary
◦ Use binary representations of the subnet ID and
convert to hexadecimal
Hexadecimal
◦ Use hexadecimal representations of the subnet ID
and a calculated increment
Decimal
◦ Using decimal representations of the subnet ID and
increment

1. Calculate the hexadecimal increment
between subnetted address prefixes
2. Create 2-column table:
◦ Network prefix number
◦ Subnetted address prefix
3. First entry is starting prefix with new prefix
length
4. Next entry is starting prefix plus increment
with new prefix length
5. Repeat step 4 until table is complete

Step 1
◦ Starting prefix: 2001:DB8:0:C000::/51
• f = 51 – 48 = 3
◦ Number of bits to subnet: 3
• s = 3
◦ New prefix length is 51+3=54
• l = 51 + s
◦ Increment between subnets:
• i = 2 16-(f+s) = 2 16-(3+3) = 1024 = 0x400
C000 is 1100 0000 0000 0000
Fixed bits
Bits for subnetting

Steps 2 and 3
Network Prefix Number
Subnetted Address Prefix
1 2001:DB8:0:C000::/54
C000 is 1100 0000 0000 0000

Step 4
Network Prefix Number
Subnetted Address Prefix
1 2001:DB8:0:C000::/54
2 2001:DB8:0:C400::/54
add 0x400
C400 is 1100 0100 0000 0000

Step 5
Network Prefix Number
Subnetted Address Prefix
1 2001:DB8:0:C000::/54
2 2001:DB8:0:C400::/54
3 2001:DB8:0:C800::/54
add 0x400
C800 is 1100 1000 0000 0000

Step 5
Network Prefix Number
Subnetted Address Prefix
1 2001:DB8:0:C000::/54
2 2001:DB8:0:C400::/54
3 2001:DB8:0:C800::/54
4 2001:DB8:0:CC00::/54
5 2001:DB8:0:D000::/54
6 2001:DB8:0:D400::/54
7 2001:DB8:0:D800::/54
8 2001:DB8:0:DC00::/54
add 0x400
add 0x400
add 0x400
add 0x400
add 0x400
DC00 is 1101 1100 0000 0000

How does the host know
where to get its configuration
settings?

Nodes discover the set of routers on the local
link
IPv6 router discovery also provides:
◦ Default value of Hop Limit field
◦ Use of stateful address protocol for addresses or
other settings
◦ Reachability and retransmission timers
◦ Network prefixes for the link
◦ MTU of the local link
◦ How long the advertising router is the default router
◦ Specific routes
Exchange of Router Solicitation/Router
Advertisement (RA) messages

Ethernet Header
• Destination MAC is 33-33-00-00-00-02
IPv6 Header
• Source Address is ::
• Destination Address is FF02::2
• Hop limit is 255
Router Solicitation Header
Host A
MAC: 00-B0-D0-E9-41-43
IP: none
Send multicast Router Solicitation
Router Solicitation
Router
MAC: 00-10-FF-D6-58-C0
IP: FE80::210:FFFF:FED6:58C0

Ethernet Header
• Destination MAC is 33-33-00-00-00-01
IPv6 Header
• Source Address is FE80::210:FFFF:FED6:58C0
• Destination Address is FF02::1
• Hop limit is 255
Router Advertisement Header
• Current Hop Limit, Flags, Router Lifetime,
Reachable and Retransmission Timers
Neighbor Discovery Options
• Source Link-Layer Address
• MTU
• Prefix Information
Host A
MAC: 00-B0-D0-E9-41-43
IP: none
Router Advertisement
Send multicast Router Advertisement
MAC: 00-10-FF-D6-58-C0
IP: FE80::210:FFFF:FED6:58C0
Router

1. Stateless
◦ Receipt of Router Advertisement messages with one
or more Prefix Information options
2. Stateful
◦ Use of a stateful address configuration protocol such
as DHCPv6
3. Both
◦ Receipt of Router Advertisement messages and
stateful configuration protocol
For all types, a link-local address is always
configured

Configure link-local address
◦ Perform duplicate address detection
Perform router discovery
◦ Use Router Advertisements to determine
• Configuration parameters
• Stateless addresses and on-link prefixes
• For stateless addresses, perform duplicate address detection
• Whether to use DHCPv6
• Request address prefixes via Managed Address Configuration
flag
• Request options via Other Stateful Address Configuration flag
◦ If no responses, use DHCPv6

Set Hop Limit, Reachable Time,
Retrans Timer, MTU.
Are Prefix
Information
options
present?
Yes
Configure stateless addresses.
Send Router Solicitation.
No
Router
Advertisement
response
received?
No
Use DHCPv6.
Is Managed
Address
Configuration flag
set to 1?
Yes
Yes
No
Is
Other
Stateful
Configuration
flag set
to 1?
Yes
Use DHCPv6.
No
Stop address autoconfiguration.

Managed Address Configuration flag
◦ netsh interface ipv6 set interface
managedaddress=enabled
Other Stateful Address Configuration flag
◦ netsh interface ipv6 set interface
otherstateful=enabled

DHCPv6 clients
◦ Windows Vista and higher, Windows Server 2008
and higher
DHCPv6 servers
◦ Windows Server 2008/R2 DHCP Server service
DHCPv6 relay agents
◦ Windows Server 2008/R2 Routing and Remote
Access service

User Datagram Protocol (UDP) messages
◦ DHCPv6 clients listen on UDP port 546
◦ DHCPv6 servers and relay agents listen on UDP port 547
Solicit
◦ Sent by a client to locate servers
Advertise
◦ Sent by a server in response to a Solicit message to indicate availability
Request
◦ Sent by a client to request addresses or configuration settings from a
specific server
Reply
◦ Sent by a specific server and contains addresses and configuration
settings
Renew
◦ Sent by a client to a specific server to extend the lifetimes of assigned
addresses and obtain updated configuration settings

1. A Solicit message sent by the client to locate the
servers.
2. An Advertise message sent by a server to indicate
that it can provide addresses and configuration
settings.
3. A Request message sent by the client to request
addresses and configuration settings from a
specific server.
4. A Reply message sent by the requested server that
contains addresses and configuration settings.

1. An Information-Request message sent by
the client to request configuration settings
from a server.
2. A Reply message sent by a server that
contains the requested configuration
settings.

Built-in to DHCP Server service
IPv6 node in the console tree
Must configure a static IPv6 address on each
interface

IPv6 node properties
Creating a scope
Configuring scope options
Configuring reservations

Component of Routing and Remote Access
service
1. Add DHCPv6 Relay Agent routing protocol from
the IPv6\General node
2. Add interfaces
3. Configure the IPv6 addresses (global or unique
local) of DHCPv6 servers
DEMO

Most like IPv4
◦ Routers advertise themselves as default routers only
◦ DHCPv6 servers assign address prefixes and options
• Managed Address Configuration flag set to 1
• Other Stateful Address Configuration flag set to 1
Stateless addresses with DHCPv6-based options
◦ Routers advertise address prefixes and themselves as
default routers
◦ DHCPv6 servers assign address prefixes and options
• Managed Address Configuration flag set to 0
• Other Stateful Address Configuration flag set to 1

How does the host know what
to request and where to send
it and what to do with the
results?

Special handling for DNS queries
◦ DirectAccess
◦ DNS Security Extensions (DNSSEC)
For DirectAccess, acts as a client-side conditional forwarder
◦ Determines which names should be directed to which DNS servers
Internet DNS server
DirectAccess server
NRPT
IPv6 addresses for s1.corp.contoso.com?
AAAA = 2002:836b:1:1:0:5efe:10.0.21.117
intranet DNS
server
DirectAccess
client
Internet
intranet

.corp.contoso.com
nls.corp.contoso.com
NRPT
2002:836b:2:1:0:5efe:10.0.0.1
Namespace rules
◦ Namespace or name with address of DNS server
• Result: Use the specified DNS server
Exemption rules
◦ Namespace or name with no DNS server
• Result: Use interface-configured DNS server
Name does not match an NRPT rule, use interfaceconfigured
DNS server

1. Check DNS resolver cache
2. Check NRPT
◦ Determine the set of DNS servers to use
3. Resolve name
◦ FQDNs
• DNS
◦ Single-label, unqualified names
• DNS (with suffixes and name devolution)
• Link-Local Multicast Name Resolution (LLMNR)

DNS messages sent over IPv6 or over IPv4?
◦ Based on IP addresses of determined DNS servers
All records or AAAA-only query?
◦ Most queries are for all records
◦ DirectAccess clients perform AAAA-only queries
DNS query results
◦ Set of A records (IPv4 addresses)
◦ Set of AAAA records (IPv6 addresses)
Now what?
◦ How does the node determine the set of sourcedestination
address pairs with which to initiate
communication?

By default, IPv6 addresses are preferred
◦ To prefer IPv4 addresses
• Set DisabledComponents=0x20
• Modify prefix policy table
Address selection process
◦ A source address selection algorithm to choose the best
source address to use with a destination address
◦ A destination address selection algorithm to sort the list
of possible destination addresses in order of preference
Local prefix policy table to customize preference
of source and destination addresses

netsh interface ipv6 show prefixpolicies
Precedence Label Prefix
---------- ----- ---------------
50 0 ::1/128 (loopback)
40 1 ::/0 (IPv6 addresses)
30 2 2002::/16 (6to4 addresses)
20 3 ::/96 (IPv4-comp addresses)
10 4 ::ffff:0:0/96 (IPv4 addresses)
5 5 2001::/32 (Teredo addresses)
Modify with netsh interface ipv6
add|set|delete prefixpolicy

Application or Winsock obtains the set of destination
addresses (name resolution) and calls the stack for
destination address sorting:
1. For each destination address, perform a route
lookup to determine the sending interface and
source address candidates (strong host send)
2. For each destination address, select the best
source address and create source-destination
pairs (source address selection)
3. Sort source-destination address pairs (destination
address selection)

To determine the best source for each
destination:
◦ Prefer the source address that has a scope
appropriate for the destination address
◦ Prefer a non-deprecated address
◦ Prefer the source address that has the same label in
the prefix policy table as the destination address
◦ Prefer a temporary address over a public address
◦ Prefer the source address that has the longest
matching prefix with the destination

To sort the list of destinations:
◦ Prefer the destination address that matches the scope of
the source address
◦ Prefer destination addresses with source addresses that
are not deprecated
◦ Prefer the destination address that has the same label
from the prefix policy table as its source address
◦ Prefer the destination address that has the highest
precedence from the prefix policy table
◦ Prefer a native IPv6 destination address to an IPv6
transition technology destination address
◦ Prefer the destination address with the smallest scope

Domain members
◦ No problem
Non-domain members
using DHCPv6
◦ DNS tab on the DHCPv6
scope
GOTCHA: Non-domain
members using only
RAs (stateless) can’t
register

Who is assigning IPv6 prefixes/addresses?
◦ Router (stateless)
◦ DHCPv6 server (stateful)
Is DNS traffic to be sent over IPv6?
◦ If yes, assign DNS server and domain name via
DHCPv6
How are nodes registering their AAAA
records?
◦ If via stateless, watch out for requiring secure
updates
• Non-domain joined computers can’t register stateless
(RA) addresses

Portal page
Demonstrate IPv6
DHCPv6 test lab extension
IPv6-only test lab extension

Windows Server Networking on TechNet
Windows Server Networking on MSDN
Windows Networking Writing Team blog
Windows Server Documentation Twitter feed