Mysterious missing DHCPv6 feature, was Re: How does one obtain an IPv6 DNS server when VPNing to an ASA?

Ben Jencks ben at bjencks.net
Wed May 19 04:50:42 CEST 2010


On Tue, May 18, 2010 at 20:35, Doug Barton <dougb at dougbarton.us> wrote:
> On 5/18/2010 3:57 AM, Benedikt Stockebrand wrote:
>>
>> ... but showing up after ten or more years complaining that one's
>> existing business model isn't protected is not.
>
> I actually agreed with a lot of what you wrote, but here is where I take
> exception. I actually DID say "No one is going to deploy IPv6 in an
> enterprise network without DHCP that looks substantially like it does in
> IPv4, and supports the same options." I was shouted down LOUDLY by the
> autoconf religious zealots, so I went away. I had a lot of company in
> both regards (what I said, and not bothering to keep saying it since no
> one was listening).
>
> I (and others) have continued to try to say these things periodically
> over the past decade, and we continue to get shouted down, although less
> loudly nowadays. Eventually I think this debate (DHCP vs. RA) will go
> the same way IPv6 PI space did, religious zealots dragged kicking and
> screaming into reality by those who are more interested in seeing IPv6
> actually deployed.

Admittedly, I came into this late, only a couple years ago, but I
haven't seen anyone arguing DHCP vs. RA. Rather, I've seen one side
arguing that DHCP+RA is a perfectly good solution, and it's what we
have now, and the other side arguing that RA is Evil and should be
eliminated in favor of pure DHCP.

The debate is getting tiresome, though. Every time anyone brings up
even a semi-valid point on one side, people on the other side trot out
the same tired arguments against all the invalid points they've seen
over and over, turning it into the exact same debate we have every
month. I'll try to keep my arguments to the points you actually
raised.

[snip]

> In no particular order, the main reasons enterprises like DHCP:
> 1. It allows them to configure multiple aspects of Host Configuration,
> not just the bare minimums required for connectivity.

Yes... DHCPv6 is standardized and works perfectly well, in conjunction with RAs.

> 2. Configuring one (or at most a few) DHCP servers is easier than
> configuring many routers.

You have to configure those routers with their addresses and prefixes
anyway, otherwise they won't be able to route. The Managed Address
Configuration flag is the only extra information you need to configure
on the routers. And the relay agent needs configuring regardless of
whether RA is used or not.

> 3. The administrative domains covered by network administration and
> those who configure DHCP are often different, and the needs of the
> latter are often more dynamic (pardon the pun) which requires fast
> response times to meet effectiveness goals.

See #1.

> 4. Security concerns related to rogue/misconfigured RA messages. (This
> is the everyone fails instantly vs. only failing when you renew your
> lease problem.) Yes, I know that RA guard is "almost done," but the
> concern remains valid.

Some people consider that failure mode a feature, not a bug (lets you
see cause/effect more easily), but either way, it's hard to take
seriously a complaint of "if you configure it wrong it doesn't work".
Luckily, most of the frequently changing information is on the DHCP
server, so the routers can be under stricter change control. For the
rogue RA issue, RA guard really is the solution, and I find it bizarre
that it started so recently -- did people even 5 years ago really
believe that key management would be a solved problem and everyone
would use SeND?

The only use case that I've seen that DHCPv4 satisfies and DHCPv6+RA
doesn't is where different hosts on the same subnet need different
default routers. Something like draft-droms-dhc-dhcpv6-default-router
or draft-dec-dhcpv6-route-option-02 could satisfy that use case.

-Ben


More information about the ipv6-ops mailing list