Stateless IP being assigned instead of DHCP address

Question

Here is the information:

Host link IP: fe80::9eec:b32d:855c:5589
Server link IP: fe80::f03c:91ff:fe11:96c4

Host global IP: 2601:aaaa:bbbb:cccc:1854:46d6:c2f9:e727 (Ugh!)
Server global IP: 2601:aaaa:bbbb:cccc::1

Server has routed block for 2601:aaaa:bbbb:cccc::/64

DHCP trying to assign this IP to host: 2601:aaaa:bbbb:cccc:1000::fa8d

Host must be GENERIC: Host has NO custom network configuration as a requirement. All hosts are assumed to be computers that anyone has and they plug them in and they should work without any customizations. This means that dhclient should NEVER be used on an IPv6 client: everything should be done through SLAAC or stateful SLAAC (what I am trying to accomplish).

Host works great with browser defaulting to IPv6 and has no issue reaching all sites whether IPv6 or IPv4.

Host Networking:

2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 28:d2:44:6b:bf:9f brd ff:ff:ff:ff:ff:ff
    inet 172.21.0.102/24 brd 172.21.0.255 scope global dynamic noprefixroute enp0s25
       valid_lft 39535sec preferred_lft 39535sec
    inet6 2601:aaaa:bbbb:cccc:ec25:e54d:4255:6c76/64 scope global temporary dynamic 
       valid_lft 86199sec preferred_lft 14199sec
    inet6 2601:aaaa:bbbb:cccc:1854:46d6:c2f9:e727/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86199sec preferred_lft 14199sec
    inet6 fe80::9eec:b32d:855c:5589/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Server's radvd configuration:

root@li336-239:/var# cat /etc/radvd.conf
interface tap0
{
    AdvSendAdvert on;
    AdvManagedFlag on;
    AdvOtherConfigFlag on;
    prefix 2601:aaaa:bbbb:cccc::/64
    {
        AdvOnLink on;
        AdvAutonomous on;
    };
};

Host and server can see each other without any problem prior to global IP assignment:

Server: ping6 -c2 fe80::9eec:b32d:855c:5589%tap0 --> Success
Host: ping6 -c2 fe80::f03c:91ff:fe11:96c4%enp0s25 --> Success

Host and Server see eachother perfectly as neighbors with their link IPs and their global IPs:

Host/Server: ip -6 neigh --> successfully lists everything

ip6tables: All FORWARD and INPUT chains are not restricted: no packets dropped

DHCP Server when host goes physically online:

10:16:39 li336-239 dhcpd[5067]: Solicit message from fe80::9eec:b32d:855c:5589 port 546, transaction ID 0x83D90700
10:16:39 li336-239 dhcpd[5067]: Advertise NA: address 2601:aaaa:bbbb:cccc:1000::fa8d to client with duid 00:01:00:01:22:b0:4f:4a:28:d2:44:6b:bf:9f iaid = 1147912095 valid for 600 seconds
10:16:39 li336-239 dhcpd[5067]: Sending Advertise to fe80::9eec:b32d:855c:5589 port 546
10:16:40 li336-239 dhcpd[5067]: Solicit message from fe80::9eec:b32d:855c:5589 port 546, transaction ID 0x83D90700
10:16:40 li336-239 dhcpd[5067]: Advertise NA: address 2601:aaaa:bbbb:cccc:1000::fa8d to client with duid 00:01:00:01:22:b0:4f:4a:28:d2:44:6b:bf:9f iaid = 1147912095 valid for 600 seconds
10:16:40 li336-239 dhcpd[5067]: Sending Advertise to fe80::9eec:b32d:855c:5589 port 546
10:16:42 li336-239 dhcpd[5067]: Solicit message from fe80::9eec:b32d:855c:5589 port 546, transaction ID 0x83D90700
10:16:42 li336-239 dhcpd[5067]: Advertise NA: address 2601:aaaa:bbbb:cccc:1000::fa8d to client with duid 00:01:00:01:22:b0:4f:4a:28:d2:44:6b:bf:9f iaid = 1147912095 valid for 600 seconds
10:16:42 li336-239 dhcpd[5067]: Sending Advertise to fe80::9eec:b32d:855c:5589 port 546
10:16:46 li336-239 dhcpd[5067]: Solicit message from fe80::9eec:b32d:855c:5589 port 546, transaction ID 0x83D90700
10:16:46 li336-239 dhcpd[5067]: Advertise NA: address 2601:aaaa:bbbb:cccc:1000::fa8d to client with duid 00:01:00:01:22:b0:4f:4a:28:d2:44:6b:bf:9f iaid = 1147912095 valid for 600 seconds
10:16:46 li336-239 dhcpd[5067]: Sending Advertise to fe80::9eec:b32d:855c:5589 port 546
10:16:55 li336-239 dhcpd[5067]: Solicit message from fe80::9eec:b32d:855c:5589 port 546, transaction ID 0x83D90700
10:16:55 li336-239 dhcpd[5067]: Advertise NA: address 2601:aaaa:bbbb:cccc:1000::fa8d to client with duid 00:01:00:01:22:b0:4f:4a:28:d2:44:6b:bf:9f iaid = 1147912095 valid for 600 seconds
10:16:55 li336-239 dhcpd[5067]: Sending Advertise to fe80::9eec:b32d:855c:5589 port 546
10:17:13 li336-239 dhcpd[5067]: Solicit message from fe80::9eec:b32d:855c:5589 port 546, transaction ID 0x83D90700
10:17:13 li336-239 dhcpd[5067]: Advertise NA: address 2601:aaaa:bbbb:cccc:1000::fa8d to client with duid 00:01:00:01:22:b0:4f:4a:28:d2:44:6b:bf:9f iaid = 1147912095 valid for 600 seconds
10:17:13 li336-239 dhcpd[5067]: Sending Advertise to fe80::9eec:b32d:855c:5589 port 546

... but host seems to assign itself 2601:aaaa:bbbb:cccc:1854:46d6:c2f9:e727 (different each time) instead which would be wonderful if I didn't want this to be stateful.

Host upon physical connection:

root@some-computer:~# ip monitor
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default 
    link/ether 28:d2:44:6b:bf:9f brd ff:ff:ff:ff:ff:ff
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default 
    link/ether 28:d2:44:6b:bf:9f brd ff:ff:ff:ff:ff:ff
Deleted ff02::1:ff5c:5589 dev enp0s25 lladdr 33:33:ff:5c:55:89 NOARP
Deleted ff02::2 dev enp0s25 lladdr 33:33:00:00:00:02 NOARP
Deleted fe80::f03c:91ff:fe11:96c4 dev enp0s25 lladdr f2:3c:91:11:96:c4 router STALE
Deleted ff02::fb dev enp0s25 lladdr 33:33:00:00:00:fb NOARP
Deleted ff02::1:2 dev enp0s25 lladdr 33:33:00:01:00:02 NOARP
Deleted ff02::16 dev enp0s25 lladdr 33:33:00:00:00:16 NOARP
Deleted ff02::1:ff55:6c76 dev enp0s25 lladdr 33:33:ff:55:6c:76 NOARP
Deleted ff02::1:fff9:e727 dev enp0s25 lladdr 33:33:ff:f9:e7:27 NOARP
ff00::/8 dev enp0s25 table local metric 256 pref medium
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default 
    link/ether 28:d2:44:6b:bf:9f brd ff:ff:ff:ff:ff:ff
Deleted ff00::/8 dev enp0s25 table local metric 256 pref medium
ff00::/8 dev enp0s25 table local metric 256 pref medium
fe80::/64 dev enp0s25 proto kernel metric 256 pref medium
2: enp0s25    inet 172.21.0.102/24 brd 172.21.0.255 scope global dynamic noprefixroute enp0s25
       valid_lft 39738sec preferred_lft 39738sec
local 172.21.0.102 dev enp0s25 table local proto kernel scope host src 172.21.0.102 
broadcast 172.21.0.255 dev enp0s25 table local proto kernel scope link src 172.21.0.102 
broadcast 172.21.0.0 dev enp0s25 table local proto kernel scope link src 172.21.0.102 
172.21.0.0/24 dev enp0s25 proto kernel scope link src 172.21.0.102 metric 100 
default via 172.21.0.1 dev enp0s25 proto dhcp metric 20100 
ipv4 dev enp0s25 rp_filter loose 
172.21.0.1 dev enp0s25 lladdr 00:e0:4c:68:3b:72 REACHABLE
169.254.0.0/16 dev enp0s25 scope link metric 1000 
10.16.0.1 dev enp0s25 lladdr f2:3c:91:11:96:c4 REACHABLE
2: enp0s25    inet6 fe80::9eec:b32d:855c:5589/64 scope link 
       valid_lft forever preferred_lft forever
local fe80::9eec:b32d:855c:5589 dev enp0s25 table local proto kernel metric 0 pref medium
2: enp0s25    inet6 fe80::9eec:b32d:855c:5589/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
Deleted fe80::/64 dev enp0s25 proto kernel metric 256 pref medium
fe80::/64 dev enp0s25 proto kernel metric 256 pref medium
fe80::/64 dev enp0s25 proto kernel metric 100 pref medium
2: enp0s25    inet 172.21.0.102/24 brd 172.21.0.255 scope global dynamic noprefixroute enp0s25
       valid_lft 39736sec preferred_lft 39736sec
default via 172.21.0.1 dev enp0s25 proto dhcp metric 100 
Deleted default via 172.21.0.1 dev enp0s25 proto dhcp metric 20100 
fe80::f03c:91ff:fe11:96c4 dev enp0s25 lladdr f2:3c:91:11:96:c4 router STALE
2: enp0s25    inet6 fe80::9eec:b32d:855c:5589/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
2601:aaaa:bbbb:cccc::/64 dev enp0s25 proto ra metric 100 pref medium
default via fe80::f03c:91ff:fe11:96c4 dev enp0s25 proto ra metric 100 pref medium
[!!HERE--->] 2: enp0s25    inet6 2601:aaaa:bbbb:cccc:ec25:e54d:4255:6c76/64 scope global temporary dynamic 
       valid_lft 86399sec preferred_lft 14399sec
local 2601:aaaa:bbbb:cccc:ec25:e54d:4255:6c76 dev enp0s25 table local proto kernel metric 0 pref medium
[!!HERE--->] 2: enp0s25    inet6 2601:aaaa:bbbb:cccc:1854:46d6:c2f9:e727/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86399sec preferred_lft 14399sec
[!!HERE--->] local 2601:aaaa:bbbb:cccc:1854:46d6:c2f9:e727 dev enp0s25 table local proto kernel metric 0 pref medium

Answer 1

host seems to assign itself 2601:aaaa:bbbb:cccc:1854:46d6:c2f9:e727

Your router advertisements have AdvAutonomous on, which tells them that stateless configuration is supported on the network. If you don't want autonomous address autoconfiguration, don't enable autonomous address autoconfiguration.

This applies even if the RAs have AdvManaged on, and even if the hosts receive a DHCPv6 advertisement. (RFC 4862: "It should be noted that a host may use both stateless address autoconfiguration and DHCPv6 simultaneously.")

This means that dhclient should NEVER be used on an IPv6 client: everything should be done through SLAAC or stateful SLAAC (what I am trying to accomplish).

There is no such thing as "stateful SLAAC" (indeed the 'SL' stands for 'stateless').

At most, the SLAAC advertisements can prompt the client to use DHCPv6 – but they cannot force the client to do DHCPv6. For example:

• Linux by default performs SLAAC in kernel, and the kernel will not automatically fork a DHCP client, neither dhclient -6 nor dhcpcd -6 nor wide-dhcp6c. This only happens if userspace which would understand that flag (e.g. NetworkManager or systemd-networkd) is already running.

• FreeBSD's dhclient in base lacks DHCPv6 support; the dual version is in ports.

• OpenBSD has no DHCPv6 client in base (one must be installed through ports).

• Android does not support DHCPv6 at all.

Your client seems to be running NetworkManager, but even then, there is no guarantee that it won't require manual configuration depending on which version it is, and on which external DHCPv6 clients are installed. (If dhcp=internal is selected, current versions only support DHCPv4.)

It is also possible that clients will only attempt DHCPv6 if autonomous configuration is disabled (see 1st part of the answer), but then you'll end up with IPv6 unusable by clients lacking DHCPv6.

---

If your goal is to have accountability, I would instead keep a log of IPv6 address to MAC address associations. This can be implemented by monitoring Neighbour Advertisements, or by watching the router's ND cache (ip -6 neigh), and the advantage is that it'll work regardless of mechanism – SLAAC, privacy-extension, DHCPv6, DHCPv4, even statically configured addresses will be tracked.