DHCPv6 Prefix Delegation

What is DHCPv6 Prefix Delegation? Coming from IPv4, you’re already familiar with DHCP (for IPv4) which hands out IPv4 addresses to clients. The same applies to (stateful) DHCPv6: it hands out IPv6 addresses to clients.

However, with IPv6 we’re heavily dealing with subnets rather than just single addresses. Again, you’re familiar with IPv4: For an IPv4-based ISP connection, you’re getting either a single public IPv4 address or a small subnet such as a /29, /28, or the like for your WAN interface. For an IPv6-based ISP connection, you’re getting a subnet which includes multiple unique subnets to be used for other layer 3 segments rather than a single address (with NAT on the CPE). This is where DHCPv6 prefix delegation (commonly abbreviated as DHCPv6-PD) kicks in: It hands out IPv6 subnets to routers.

Let’s have a closer look:

As always, a picture is worth a thousand words (click for full screen):


(The arrows in this sketch do not indicate the DHCPv6 protocol flow, but the direction of the information flow.)

That is: Your outer router or firewall (CPE) requests an IPv6 prefix from your ISP. This process occurs with DHCPv6 prefix delegation, RFC 8415, “DHCP for Prefix Delegation”. The delegating router also adds a route in its routing table according to the prefix and the link-local address of your router/firewall. Furthermore, your CPE must distribute /64 subnets out of the received prefix to its downstream interfaces, along with appropriate RAs.

Of course, it is possible to use a DHCPv6 relay from the ISP’s point of view. That is: Not the ISP router itself but an independent DHCPv6 server takes care of all prefixes.

The default prefix length that ISPs SHOULD give to an end site is a /48. However, ISPs tend to hand out /48 only to business customers while /56 to residential customers. Refer to RIPE-690 “Best Current Operational Practice for Operators: IPv6 prefix assignment for end-users – persistent vs non-persistent, and what size to choose”. Anyway:

It is strongly discouraged to assign prefixes longer than /56 unless there are very strong and unsolvable technical reasons for doing this.

DHCPv6 Prefix Delegation on the Wire

You can find DHCPv6 packets with prefix delegation in the Ultimate PCAP, display filter: dhcpv6.option.type == 25. Here’s a screenshot showing the “Advertise” message from the ISP router to the CPE from the end user. You can see the typical DHCPv6 address (Non-temporary Address, 3) along with the recursive DNS name server (23), as well as the additional “Identity Association for Prefix Delegation“, option number 25, which includes a /56 prefix in this example:

I have warned you!

Please note that you should always prefer a static IPv6 prefix!!! Using dynamic prefixes with DHCPv6-PD is ridiculous. It causes problems and instability – without any advantages. Why are (German) ISPs using it? 1) They are selling it as a privacy option 🤦 and 2) they want you to upgrade to a business connection. That’s it. Luckily, at least my ISP, Deutsche Glasfaser (FTTH), always delegates the same /56 prefix per customer. This is still done via DHCPv6 prefix delegation (which contains the name “dynamic” in it) but on a static basis. Thank you! Details about the connection establishment from them here (only in German).

Again: DO NOT USE an ISP connection with dynamic IPv6 prefixes for an enterprise. I’m serious. You will regret it!

However, speaking of residential ISP connections, we have to deal with it. :(

Soli Deo Gloria!

Photo by Ben White on Unsplash.

2 thoughts on “DHCPv6 Prefix Delegation

  1. The “It is strongly discouraged to assign prefixes longer than /56” part was obviously missed by my current ISP, Fastspeed (in DK). They only assign /60, which makes for very awkward subnets (i.e., not possible to allign to VLAN tags). I did of course bring the RFC to their attention, but to no avail. Apparently, they also haven’t re-delegated their ip6.arpa zone to their own DNS server (simple task in RIPE portal, AFAIK), so they can’t re-delegate my subnets to my preferred DNS. I’m not impressed.

    That apart, they assign the same subnet for ever – it’s apparently bound to the fiber interface, rather than the attached CPE. And they assign their DHCPv6 PD in a manner that is supported by PAN-OS 11.x, which wasn’t the case for my previous ISP.

    Most tutorials will detail that the CPE getting the DHCPv6 PD should also delegate prefixes to its own subnets, but it is fully possible to split it manually in e.g., /56 prefixes (if you get a /48) and then assign /64 prefixes statically on your CPE interfaces.

  2. I’m new to IPv6 even though I went to school for a network concentration; we never delved much into v6 except it’s length and how to write it, so I’m trying to get into more of the loop of things.

    I have a question, then. What is meant by a CPE router (just confused by the acronym)? Also, if you get a /54 or a /64 delegation from your ISP, is that the same as making smaller subnets out of IPv4 address allocations? For example, could you split a /56 into smaller ones on your home router?

Leave a Reply

Your email address will not be published. Required fields are marked *