DHCPv6 and DUID Confusion

Published: 2014-04-23
Last Updated: 2014-04-23 23:50:49 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

In IPv6, DHCP is taking somewhat a back seat to router advertisements. Many smaller networks are unlikely to use DHCP. However, in particular for Enterprise/larger networks, DHCPv6 still offers a lot of advantages when it comes to managing hosts and accounting for IP addresses in use.

One of the big differences when it comes to DHCPv6 is that a host identifies itself with a DUID (DHCP Unique Identifier) which can be different from a MAC address. There are essentially three ways to come up with a DUID:

Link Layer + Time: In this case, the host will on first boot create a DUID using one interfaces link layer address (MAC address for Ethernet), as well as the timestamp (seconds since Epoch) to derive a DUID. This DUID will be saved to disk and remain constant even if the network card is swapped later.

Link Layer: Some hosts may not be able to retain a DUID between reboots in this case, the link layer address is used.

Vendor Assigned: You can also just assign an arbitrary DUID, maybe a host name, to identify the host.

Regardless which method you use, the sad part is that each operating system, and in some cases different software on the same operating system, chooses to display the DUID differently, making correlation hard.

Here are a few examples:

Linux seems to like a mix of octal and ASCII characters (if the value represents a printable character). For example:

\000\001\000\001\032\336\306\373\000\014)g\317\002

However, in Linux configuration files for DHCPv6 servers and clients, you may find a simpler hex format:

option dhcp6.client-id 0:1:0:1:1a:de:c6:fb:0:c:29:67:cf:2;

OS X on the other hand displays the time part in decimal, and the MAC address part in hexadecimal:

ipconfig getv6packet en0
CLIENTID (1) Length 14 DUID LLT HW 1 Time 389824106 Addr 40:6c:8f:11:d7:5c

Windows prefers to display the hexadecimal version as output for "ipconfig /all"

DHCPv6 Client DUID. . . : 00-01-00-01-13-0D-1E-A2-00-0C-29-A3-D3-30

To help myself a bit with this confusion, I started a little script that will convert DUIDs from different formats. It isn't quite done yet, but good enough to see if anybody finds it helpful and would like to test it. You can download the script from https://isc.sans.edu/diaryimages/duidconvert.pl

,

[To learn more about IPv6 Security, check out my class IPv6 Security Essentials]

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: dhcp dhcpv6 duid
1 comment(s)
Special Edition of OUCH: Heartbleed - Why Do I Care? http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-2014-special_en.pdf
ISC StormCast for Wednesday, April 23rd 2014 http://isc.sans.edu/podcastdetail.html?id=3947

Comments

What's this all about ..?

Anonymous

Dec 3rd 2022
9 months ago

password reveal .

Anonymous

Dec 3rd 2022
9 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Anonymous

Dec 26th 2022
9 months ago

https://thehomestore.com.pk/

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

Anonymous

Dec 26th 2022
9 months ago

https://defineprogramming.com/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/

https://defineprogramming.com/

Dec 26th 2022
9 months ago

Enter corthrthmment here...

rthrth

Jan 2nd 2023
8 months ago

Login here to join the discussion.


Diary Archives