In the previous chapter, we covered the SSL/TLS application layer protocol in detail. In this chapter, we will continue with other application layer protocols (their basic flows and some generic use cases) and learn how to generate these types of traffic:
- DHCPv6
- DHCv4
- DNS
- HTTP
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is an application layer protocol that provides a DHCPv6 client with IPv6 an address, and other configuration information, that is carried in the DHCPv6 options.
DHCPv6 is both a Stateful Address Autoconfiguration protocol and a Stateless Address Configuration protocol.
The client and server exchange DHCPv6 message over UDP; the client uses a link-local address, DHCPv6 receives message over the link-scoped multicast address. If the DHCPv6 server is not attached to the same link, then a DHCPv6 relay agent on the client's link will relay messages between the DHCPv6 client and DHCPv6 server, as shown in the following screenshot:
Multicast addresses are used by the DHCPv6 client to send datagrams to a group of DHCPv6 servers:
- For all DHCP relay agents and servers, the address is
FF02::1:2(link local) - For all DHCPv6 servers, the address is
FF05::1:3(site local)
Servers and relay agents listen for DHCPv6 messages on UDP port 547; clients listen for DHCPv6 messages on UDP port 546. To find the port information, the netstat command can be used:
[root@bash ~]# netstat -an | grep 547 udp 0 0 :::547 :::*
DHCPv6 messages are exchanged over UDP port 546 and 547 and the messages are described in the following table:
DHCPv6 message exchanges happen in order to obtain the IPv6 addresses, configuration (NTP server, DNS server), or RENEW/RELEASE/DECLINE of the IPv6 address, and these message exchanges are categorized in two parts:
- Client-server with a four-message exchange
- Client-server with a two-message exchange
The acronym for a four-message exchange is SARR, and it is used to request the assignment of one or more IPv6 addresses. The message flow is as follows:
SOLICITADVERTISEREQUESTREPLY
Open the DHCPv6-Flow-SOLICIT.pcap file in Wireshark, and examine the IP assignment flow as shown:
The preceding screenshot shows a SARR flow packet being captured. IPv6 is assigned to the DHCPv6 client, and the message exchanges in detail are:
SOLICIT: The client (fe80::f816:3eff:fe1d:e848) sends aSOLICITmessage to locate the servers. Note the destination is multicastff02::1:2not the server (destination) IPv6 address:- The client includes its client-identifier option
dhcpv6.option.type == 1. - The client sends it ORO option (
dhcpv6.option.type == 6) to the server that is interested in receiving. In this case, the client has requested the name server information. - In this example, the client uses the IA_NA options to request the assignment of non-temporary addresses (
dhcpv6.option.type == 3) and uses IA_TA options to request the assignment of temporary addresses. - The client IA address option is used to specify IPv6 addresses associated with IA_NA or IA_TA. In this example, it's associated with IA_NA.
- The client includes its client-identifier option
ADVERTISE: The server (fe80::f816:3eff:fe1d:e848) sends theADVERTISE(dhcpv6.msgtype == 2) message to the client (fe80::f816:3eff:fe1d:e848). There can be multiple servers that will respond to the clientSOLICITmessage; the client will choose the DHCPv6 server based on its preference:- The server updates the IA_NA (
dhcpv6.option.type == 3) value based on its preferences. - The server includes its server identifier (
dhcpv6.option.type == 2) information. The Server Identifier option is used to carry DUID. The DUID is the DHCP Unique Identifier, the host identifier in IPv6. (In the case of DHCPv4, the host identifier is the MAC address.) - The server includes the name server (
dhcpv6.option.type == 23) information as requested in theSOLICITmessage. - The server transaction ID
0x10eafein this case must match with the clientSOLICITtransaction ID.
- The server updates the IA_NA (
REQUEST: In this message the client chooses one of the servers and sends aREQUESTmessage to the server asking for confirmed assignment of addresses and other configuration information:- The client (
fe80::f816:3eff:fe1d:e848) constructs theREQUESTpacket and sends it to multicastff02::1:2 - The client includes a new transaction ID:
0x3ec03e.(random) - The client include server identifier information in the
REQUESTpacket
- The client (
REPLY: In the case of a validREQUESTmessage, the server creates the bindings for that client according to the server's policy and configuration information, records the IAs and other information requested by the client, and sends aREPLYmessage by settingdhcpv6.msgtype == 7:
The two-message exchange will be performed between client and server when IP address assignment is not required or when the DHCPv6 client wants to obtain configuration information such as a list of available DNS servers or NTP servers—for example CONFIRM-REPLY and RELEASE-REPLY. Open the sample DHCPv6-Flow-CONFIRM-RELEASE.pcap file in Wireshark, which shows that a two-message exchange was performed:
- DHCPv6 messages
CONFIRM-REPLYandRELEASE-REPLY:
- DHCPv6 messages
INFOMRATION-REQUEST: The client sends theINFORMATION-REQUESTwhen the client requests configuration settings (but not addresses)—for example, DNS, NTP. As shown in the following screenshot, open theDHCPv6-Information_request.pcapfile in Wireshark:
- The rapid commit option is used to obtain the IPv6 address assignment in the two-message exchange, as shown in the following screenshot example,
DHCPv6-Rapid-Commit.pcap. Note that rapid commit is not a separate DHCPv6 message and is part of theSOLICIToption:
- If a client that supports the rapid commit option intends to use the rapid commit capability, it includes a rapid commit option in the
SOLICITmessages that it sends. - If the client receives a
REPLYmessage with a rapid commit option, it should process theREPLYimmediately (without waiting for additionalADVERTISEorREPLYmessages) and use the address and configuration information contained therein. - If the server doesn't support the rapid commit option, then it will follow with a four-message exchange (SOLICIT, ADVERTISE, REQUEST, and REPLY known as SARR).
- If a client that supports the rapid commit option intends to use the rapid commit capability, it includes a rapid commit option in the
Use dhclient to simulate DHCPv6 traffic over the network. For this, do the following:
- Make sure a DHCPv6 server is set up. This example is performed over an ISC Dynamic Host Configuration Server (dhcpd) server.
- Run the
tcpdumputility to capture IPv6 traffic:bash$ tcpdump -i any ip6 -vv -w DHCPv6-FLOW.pcap -s0 &Make sure the DHCPv6 server is running in your network.
- To capture a DHCPv6 four-message exchange (SARR):
bash$ dhclient -6 eth0 - To capture the DHCPv6
RELEASEmessage:bash$ dhclient -6 -r eth0 - To capture the DHCPv6
CONFIRMmessage:bash$ dhclient -6 eth0 - To capture the DHCPv6
INFORMATIONrequest:bash$ dhclient -S -6 eth0