Educause Security Discussion mailing list archives

Re: IPv6 and DHCP

From: "Kern, Paul" <Paul.Kern () SDBOR EDU>
Date: Thu, 10 May 2012 20:26:49 +0000

I agree with John.  I think SLAAC is most appropriate in very small, private (meaning personal) networks such as home 
networks.  For larger networks, especially those that must be closely monitored and managed (think log checking, 
firewall rules, etc.), I think DHCPv6 is the future.  This is especially if you have a network that requires Option 
82-type capabilities.  I don't think SLAAC offers any mechanism for tracking or controlling IP address leases.

Paul Kern (RIS)
605.367.7594

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
Ladwig
Sent: Thursday, May 10, 2012 2:43 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IPv6 and DHCP

I think even within the IETF there's no longer a strong assumption that IPv6 will be "self-managing" in all, or even 
most, networks.

Since we're in a security forum, I think it's pretty easy for us to realize that "self-managing networks" would need an 
awful lot of bolt-around management/monitoring tricks to keep up with the normal sorts of incident response that we 
deal with daily in IPv4 networks.

My personal expectation is that the IPv6 internet will end up much like the current IPv4 Internet - a mix of static 
addressing for servers and network devices run by organizations, and DHCP in client networks.  Future 
Internet-of-devices scenarios may result in good use cases for SLAAC, but I can't personally fathom how I'd manage 
response on a big campus network of SLAAC+Privacy mode addressing on end-user devices.  

I'd also be interested in experience reports; our IPv6 work hasn't quite gotten to DHCPv6 testing.

    -jml

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Martin 
Manjak
Sent: Thursday, May 10, 2012 2:29 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IPv6 and DHCP

If you're running IPv6, and you've tested, or deployed, DHCP tools, we are interested in what you may have discovered.

Our staff were using the following as a starting place for looking into this issue: 
https://en.wikipedia.org/wiki/IP_address_management

Granted, we could have a debate about whether it makes sense to manage an addressing protocol designed to be 
self-administering. But I think we have to first determine whether or not it's feasible.

So any experience with the products on the wikipedia page, or anything else, would be greatly appreciated.

Marty



Martin Manjak
CISSP, GIAC GSEC-G
Information Security Officer
University at Albany
MSC 209 518/437-3813

The University at Albany will never ask you to reveal your password.
Please ignore all such requests.

Current thread:

IPv6 and DHCP Martin Manjak (May 10)
- Re: IPv6 and DHCP John Ladwig (May 10)
  - Re: IPv6 and DHCP Kern, Paul (May 10)
  - Re: IPv6 and DHCP John Hoffoss (May 23)
    - Re: IPv6 and DHCP Phillip Deneault (May 23)
    - Compromised Accounts Procedures Robert Meyers (May 23)
    - Re: Compromised Accounts Procedures Tonkin, Derek K. (May 23)
    - Re: Compromised Accounts Procedures Aaron Kirby (May 23)
    - Re: Compromised Accounts Procedures Jacobson, Dick (May 23)
    - Re: Compromised Accounts Procedures Aaron Kirby (May 23)
    - Re: Compromised Accounts Procedures Robert Meyers (May 23)
    - Re: Compromised Accounts Procedures Tonkin, Derek K. (May 23)
    - Re: Compromised Accounts Procedures Rich Graves (May 23)

(Thread continues...)