IPv6 DHCP Relay

IPv6 DHCP relay is configured on the Security Gateway through the Portal or the CLI. You can configure each interface to send requests to a different set of DHCPv6 servers.

Best Practices:

• Management Servers R80.10 and above include pre-defined DHCPv6 services. These built-in services do stateful inspection of DHCPv6 traffic for enhanced security. Upgrade your older management servers before you configure DHCPv6 relay.
• In a cluster environment, you must configure DHCPv6 on each cluster member.

For more technical information on the DHCPv6 protocol and IPv6 DHCP relay, refer to RFC 3315.

Configuring DHCPv6 Relay on the Security Gateway - Gaia Portal

To enable DHCP relay for IPv6 on an interface:

1. Open the Advanced Routing > IPv6 DHCP Relay page of the Portal.
2. Click Add.

   The Add IPv6 DHCP Relay window opens.

3. Select an Interface on which to enable DHCPv6 relay.
4. Select the settings for Send Interface-ID.
5. Optional: Enter a value for Wait Time.
6. Add an IPv6 unicast address for each relay destination to which you want to forward DHCPv6 requests.

   For each relay destination:

   1. Click the Add button in the Relays section of the Add IPv6 DHCP Relay window.

      The Add Relay window opens.

   2. Enter the IPv6 address of the relay destination (the DHCP server).
   3. Click Ok.
7. Click Save.
8. In the Monitoring tab, make sure that the DHCPv6 relay runs on the required interface(s).

Configuring DHCPv6 Relay on the Security Gateway - Gaia Clish

Use these commands to configure DHCP properties for specific interfaces:

set ipv6 dhcp6relay interface <if_name> wait-time {default | <0 - 65535>} interface-id {on | off} relay-to <ipv6_address> {on | off} {on | off}

DHCPv6 parameters

Parameter	Description	Allowed Values	Default Value
Interface	The name of an interface to run DHCPv6 Relay on. You can enable DHCPv6 Relay for multiple interfaces, and configure each interface independently. The interface must be directly connected to the DHCPv6 clients. It is not necessary to enable DHCPv6 Relay on the interface connected to the DHCPv6 Server.
Wait Time	The minimum time to wait (in seconds) for a local configuration server to answer the boot request before forwarding the request through the interface. This delay provides an opportunity for a local configuration server to reply before attempting to relay to a remote server. Set the wait time to a sufficient length to let the local configuration server respond before the request is forwarded. If no local server is present, or if another server listens on the same interface, and it is the preferred server, set the time to zero (0).	0-65535	0
Interface ID	When the DHCPv6 relay request includes the interface ID value, the server copies it from the relay request to the reply message. The interface ID identifies from which interface the DHCPv6 request was received. Use this option when the IPv6 address of the interface that runs the DHCPv6 relay is not sufficient to uniquely identify that interface.	On, Off	On
Relay to Server	The IPv6 address of the DHCP configuration server/relay to which to forward DHCP requests. You can configure relay to multiple configuration servers independently on each interface. Configuration of different servers on different interfaces provides load balancing, while configuration of multiple servers on one interface provides redundancy. The server IPv6 address cannot be an address which belongs to the local computer.	Usually a DHCP server, but can be another DHCP relay

Monitoring DHCPv6 Relay - Gaia Clish (show dhcp)

Use this group of commands to monitor and troubleshoot the DHCP implementation:

show ipv6 dhcp6relay interfaces interface <if_name> stats

Configuring DHCPv6 Security Policy

DHCPv6 clients and servers send and receive messages through UDP. A special link-scoped multicast address is defined. This address lets DHCPv6 clients request configuration information when they do not know the IPv6 address of a relay or server:

All_DHCPv6_Relay_Agents_and_Servers (FF02::1:2 – all DHCPv6 Relays and Servers on the local link)

• The client sends DHCPv6 requests as UDP unicasts or multicasts with source port 546 and destination port 547. The related security policy service is dhcpv6-request.
• DHCPv6 replies to a client are sent as UDP unicasts to the client's IPv6 link-local address. They are sent with source port 547 and destination port 546. The related security policy service is dhcpv6-reply.
• The relay and server send DHCPv6 traffic between them as IPv6 UDP unicasts with source port 547 and destination port 547. Multiple server addresses can be specified. Each server address must be an IPv6 unicast address. Each server address can refer to a DHCPv6 server or one more DHCPv6 relay. The related security policy service is dhcpv6-relay.
• Unlike IPv4 BOOTP/DHCP Relay, DHCPv6 server sends its replies to the nearest relay to the server, as opposed to the nearest relay to the client.

To configure a DHCPv6 Security Policy:

1. Go to the main SmartConsole Menu () Global Properties > Firewall. If the Accept outgoing packets originating from gateway implied rule is enabled, then from the drop-down menu, select Last or Before Last.
2. Create a new host for the DHCP server. In the SmartConsole main view, go to Objects > New Host.

   The New Host window opens.

   1. Enter the server name.
   2. In the Ipv6 address field, enter the server's address.
   3. Click OK.
3. Create a new client network. In the SmartConsole main view, go to Objects > New Network.

   The New Network window opens.

   1. Enter the object name.
   2. Enter the Network address Prefix for the network to which the DHCP clients are connected.
   3. Click OK.
4. Configure the required Security Policy rules with the DHCPv6 services (dhcpv6-request, dhcpv6-reply and dhcpv6-relay).

   Note - Use:

   • The DHCPv6-Relay object which you configured on the Security Gateway.
   • All_DHCPv6_Relay_Agents_and_Servers which is pre-defined in SmartConsole.
   • IPv6_Link_Local_Hosts which is pre-defined in SmartConsole.

   For example:

   Source IP	Destination IP	Service	Notes
   <IPv6 Link Local Hosts>	<All DHCPv6 Relay Agents and Servers>	dhcpv6-request	Allows requests from DHCPv6 clients to a DHCPv6 relay (on a Gaia Security Gateway) which is directly connected to the client network.
   <DHCPv6 Relay> <IPv6 Link Local Hosts>	<IPv6 Link Local Hosts>	dhcpv6-reply	Allows replies from a DHCPv6 relay to local DHCPv6 clients.
   <DHCPv6 Relay>	<DHCPv6 Server>	dhcpv6-relay	Allows traffic between DHCPv6 relays and DHCPv6 servers.
   <DHCPv6 Server>	<DHCPv6 Relay>	dhcpv6-reply	With the implied rules in their default settings (Before Last), replies from the DHCPv6 Server to the DHCPv6 relay are automatically accepted when the reply matches a request from the relay to the server. However, to make sure that such replies are accepted, we recommend to make an explicit rule to allow traffic from the DHCPv6 Server to the DHCPv6 Relay.
   <Client Network>	<DHCPv6 Server>	dhcpv6-request	When DHCPv6 relay is used, the DHCPv6 client can still send requests directly to the DHCPv6 server.
   <DHCPv6 Server>	<Client Network>	dhcpv6-reply	Accepts replies from DHCPv6 servers to DHCPv6 clients. When DHCPv6 relay is used, the DHCPv6 client can still receive replies directly from a remotely located DHCPv6 server through UDP unicasts.

5. Install the Access Control Policy on the applicable Security Gateways.