Educause Security Discussion mailing list archives

Re: Address allocation on the network - DHCP, IPv6 etc.

From: Matthew Gracie <graciem () CANISIUS EDU>
Date: Fri, 19 Mar 2010 07:48:09 -0400

Andrew Daviel wrote:

Some fallout from a discussion on an IPv6 forum -

How are people tracking or authenticating devices on the network ?


Currently, for wired devices that stay in one location, we add the MAC
address to DHCP and create a DNS entry. The name, in our minds, is the
device for practical purposes. If we get a complaint about that name or
ip address, we know where and what it is.

(we have a fairly small site with few troublemakers - we haven't seen
anything that would justify the effort of implementing 802.1x or locking
down walljacks in the switch)


We're still exclusively IPv4. Devices that require static IPs get them
(servers, network equipment, printers, etc.) Most of the wired client
computers are leasing out of address pools. Switch CAM tables are
harvested regularly and retained so that we can find any troublemakers
by looking up the MAC by IP in DHCP logs, and then the location by MAC
in the CAM tables.

--
Matt Gracie                         (716) 888-8378
Information Security Administrator  graciem () canisius edu
Canisius College ITS                Buffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

Current thread:

Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 18)
- <Possible follow-ups>
- Re: Address allocation on the network - DHCP, IPv6 etc. Dan Oachs (Mar 18)
- Re: Address allocation on the network - DHCP, IPv6 etc. Matthew Gracie (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. John Ladwig (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Robert Kerr (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 19)