In the previous chapter, we covered the SSL/TLS application layer protocol in detail. In this chapter, we will continue with other application layer protocols (their basic flows and some generic use cases) and learn how to generate these types of traffic:
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is an application layer protocol that provides a DHCPv6 client with IPv6 an address, and other configuration information, that is carried in the DHCPv6 options.
DHCPv6 is both a Stateful Address Autoconfiguration protocol and a Stateless Address Configuration protocol.
The client and server exchange DHCPv6 message over UDP; the client uses a link-local address, DHCPv6 receives message over the link-scoped multicast address. If the DHCPv6 server is not attached to the same link, then a DHCPv6 relay agent on the client's link will relay messages between the DHCPv6 client and DHCPv6 server, as shown in the following screenshot:
Multicast addresses are used by the DHCPv6 client to send datagrams to a group of DHCPv6 servers:
FF02::1:2
(link local)FF05::1:3
(site local)Servers and relay agents listen for DHCPv6 messages on UDP port 547
; clients listen for DHCPv6 messages on UDP port 546
. To find the port information, the netstat
command can be used:
[root@bash ~]# netstat -an | grep 547 udp 0 0 :::547 :::*
DHCPv6 messages are exchanged over UDP port 546
and 547
and the messages are described in the following table:
DHCPv6 message exchanges happen in order to obtain the IPv6 addresses, configuration (NTP server, DNS server), or RENEW
/RELEASE
/DECLINE
of the IPv6 address, and these message exchanges are categorized in two parts:
The acronym for a four-message exchange is SARR, and it is used to request the assignment of one or more IPv6 addresses. The message flow is as follows:
SOLICIT
ADVERTISE
REQUEST
REPLY
Open the DHCPv6-Flow-SOLICIT.pcap
file in Wireshark, and examine the IP assignment flow as shown:
The preceding screenshot shows a SARR flow packet being captured. IPv6 is assigned to the DHCPv6 client, and the message exchanges in detail are:
SOLICIT
: The client (fe80::f816:3eff:fe1d:e848
) sends a SOLICIT
message to locate the servers. Note the destination is multicast ff02::1:2
not the server (destination) IPv6 address:dhcpv6.option.type == 1
.dhcpv6.option.type == 6
) to the server that is interested in receiving. In this case, the client has requested the name server information.dhcpv6.option.type == 3
) and uses IA_TA options to request the assignment of temporary addresses.ADVERTISE
: The server (fe80::f816:3eff:fe1d:e848
) sends the ADVERTISE
(dhcpv6.msgtype == 2
) message to the client (fe80::f816:3eff:fe1d:e848
). There can be multiple servers that will respond to the client SOLICIT
message; the client will choose the DHCPv6 server based on its preference:dhcpv6.option.type == 3
) value based on its preferences.dhcpv6.option.type == 2
) information. The Server Identifier option is used to carry DUID. The DUID is the DHCP Unique Identifier, the host identifier in IPv6. (In the case of DHCPv4, the host identifier is the MAC address.)dhcpv6.option.type == 23
) information as requested in the SOLICIT
message.0x10eafe
in this case must match with the client SOLICIT
transaction ID.REQUEST
: In this message the client chooses one of the servers and sends a REQUEST
message to the server asking for confirmed assignment of addresses and other configuration information:fe80::f816:3eff:fe1d:e848
) constructs the REQUEST
packet and sends it to multicast ff02::1:2
0x3ec03e.(random)
REQUEST
packetREPLY
: In the case of a valid REQUEST
message, the server creates the bindings for that client according to the server's policy and configuration information, records the IAs and other information requested by the client, and sends a REPLY
message by setting dhcpv6.msgtype == 7
:The two-message exchange will be performed between client and server when IP address assignment is not required or when the DHCPv6 client wants to obtain configuration information such as a list of available DNS servers or NTP servers—for example CONFIRM-REPLY
and RELEASE-REPLY
. Open the sample DHCPv6-Flow-CONFIRM-RELEASE.pcap
file in Wireshark, which shows that a two-message exchange was performed:
CONFIRM-REPLY
and RELEASE-REPLY
:INFOMRATION-REQUEST
: The client sends the INFORMATION-REQUEST
when the client requests configuration settings (but not addresses)—for example, DNS, NTP. As shown in the following screenshot, open the DHCPv6-Information_request.pcap
file in Wireshark:DHCPv6-Rapid-Commit.pcap
. Note that rapid commit is not a separate DHCPv6 message and is part of the SOLICIT
option:SOLICIT
messages that it sends.REPLY
message with a rapid commit option, it should process the REPLY
immediately (without waiting for additional ADVERTISE
or REPLY
messages) and use the address and configuration information contained therein.Use dhclient
to simulate DHCPv6 traffic over the network. For this, do the following:
tcpdump
utility to capture IPv6 traffic:bash$ tcpdump -i any ip6 -vv -w DHCPv6-FLOW.pcap -s0 &
Make sure the DHCPv6 server is running in your network.
bash$ dhclient -6 eth0
RELEASE
message:bash$ dhclient -6 -r eth0
CONFIRM
message:bash$ dhclient -6 eth0
INFORMATION
request:bash$ dhclient -S -6 eth0
18.191.29.22