20. IPv6 Operations
DHCPv6 modes, extension headers, IPv4 coexistence, multicast listener discovery, and first-hop IPv6 security.
1. 17.8 - DHCPv6
Stateful DHCPv6 uses Solicit, Advertise, Request, and Reply instead of DHCPv4 DORA. The client talks to ff02::1:2, requests an identity association such as IA_NA, and may be carried to a remote server by relay messages.
Prefix Delegation is the operationally important case for routers. A CPE receives a larger prefix such as a /56, then advertises separate /64 prefixes on downstream LANs.
| Mode | Trigger | What DHCPv6 provides |
|---|---|---|
| Stateful | RA M flag set or admin policy | Address binding in IA_NA plus options. |
| Stateless | RA O flag set | Options such as DNS while address still comes from SLAAC. |
| Prefix Delegation | Router requests IA_PD | A delegated prefix to subnet and advertise downstream. |
Minimal C Demo - DHCPv6 Mode Walkthrough
2. 17.9 - Extension Headers
IPv6 moves optional behavior out of the fixed header. Each header names the next one through the Next Header field, so parsing becomes a chain from the fixed IPv6 header to extension headers and finally to TCP, UDP, or ICMPv6.
Source fragmentation uses the Fragment extension header. Routers do not fragment IPv6 packets in transit; an oversized packet is dropped and the router returns ICMPv6 Packet Too Big for Path MTU Discovery.
| Next Header | Name | Operational note |
|---|---|---|
| 0 | Hop-by-Hop Options | Processed by every node; often rate-limited or dropped. |
| 43 | Routing Header | Type 0 is deprecated; SRv6 uses a routing header variant. |
| 44 | Fragment | Created only by the source, never by intermediate routers. |
| 50 / 51 | ESP / AH | IPsec confidentiality or authentication. |
| 60 | Destination Options | Processed by the final destination or selected intermediate target. |
3. 17.10 - IPv6 Transition Mechanisms
IPv6-only clients still need to reach IPv4-only services. DNS64 synthesizes an IPv6 destination from an A record, and NAT64 translates packets between the IPv6-only network and the IPv4 Internet.
464XLAT adds a client-side translator so IPv4-only applications can run on an IPv6-only access network. The CLAT turns local IPv4 packets into IPv6 packets; the provider PLAT then performs NAT64 toward IPv4 destinations.
| Mechanism | State | Where it lives | Best use case |
|---|---|---|---|
| NAT64 + DNS64 | Stateful at NAT64 | Provider or enterprise edge | IPv6-only clients reaching IPv4-only names. |
| 464XLAT | CLAT stateless, PLAT stateful | Device/CPE plus provider edge | IPv4-only apps on IPv6-only mobile or broadband networks. |
| MAP-T | Mostly stateless mapping | CPE and provider border | ISP-scale algorithmic IPv4 sharing over IPv6. |
| MAP-E | Mostly stateless mapping | CPE and provider border | Encapsulated IPv4 service across an IPv6 access network. |
| DS-Lite | Stateful at AFTR CGN | CPE tunnel plus ISP AFTR | IPv4-in-IPv6 access without assigning public IPv4 to CPE. |
Minimal C Demo - NAT64 Address Synthesis
4. 17.11 - MLD
Multicast Listener Discovery is IPv6's IGMP equivalent. Hosts report multicast membership with ICMPv6 messages, routers query for listeners, and switches use MLD snooping to avoid flooding multicast to every access port.
MLDv1maps to IGMPv2-style group membership.MLDv2adds include/exclude source filtering for source-specific multicast.- Every IPv6 node joins solicited-node multicast groups, which NDP depends on for Neighbor Solicitation delivery.
5. 17.12 - RA Guard and SAVI
First-hop IPv6 security starts by controlling who can send Router Advertisements. RA Guard permits RAs from trusted uplinks and drops rogue RAs from access ports; SAVI then binds observed IPv6 addresses to switch ports and blocks source spoofing.
| Control | Stops | Important limitation |
|---|---|---|
| RA Guard | Fake default gateways and DNS from rogue RAs. | Old implementations could be bypassed with fragmentation or extension headers. |
| Enhanced RA Guard | Fragmentation-based RA Guard bypass. | Needs switch support and correct trusted-port policy. |
| SAVI-SLAAC | Source spoofing for SLAAC addresses. | Relies on observing NDP/DAD events. |
| SAVI-DHCPv6 | Source spoofing for DHCPv6 bindings. | Requires consistent DHCPv6 relay/snooping visibility. |
| SeND | NDP message forgery with crypto. | Rarely deployed because key management is heavy. |
6. Interview Prep
| Question | Answer checkpoint |
|---|---|
| How is DHCPv6 SARR different from DHCPv4 DORA? | DHCPv6 uses Solicit, Advertise, Request, Reply and carries identity associations such as IA_NA or IA_PD. |
| What does stateless DHCPv6 provide? | Non-address options; the host address still comes from SLAAC. |
| Why do extension headers create operational risk? | Middleboxes often parse them poorly, and Hop-by-Hop or fragmented chains can be rate-limited or dropped. |
| How does NAT64 + DNS64 work? | DNS64 synthesizes a AAAA under 64:ff9b::/96; NAT64 extracts the embedded IPv4 address and translates packets. |
| What problem does 464XLAT solve? | It lets IPv4-only apps operate across IPv6-only access by adding CLAT before provider NAT64. |
| What do RA Guard and SAVI protect? | RA Guard blocks rogue default-router advertisements; SAVI blocks IPv6 source spoofing using port bindings. |