Address allocation on the network - DHCP, IPv6 etc.

[Andrew Daviel <advax () TRIUMF CA>]

Some fallout from a discussion on an IPv6 forum -

How are people tracking or authenticating devices on the network ?


Currently, for wired devices that stay in one location, we add the MAC
address to DHCP and create a DNS entry. The name, in our minds, is the
device for practical purposes. If we get a complaint about that name or
ip address, we know where and what it is.

(we have a fairly small site with few troublemakers - we haven't seen
anything that would justify the effort of implementing 802.1x or locking
down walljacks in the switch)


I have been looking at IPv6, trying to figure out how to do all the
things I do in IPv4. One of the issues is address allocation.

Is anyone actually running IPv6 on campus, or looking at it ?


It seems that in IPv6 one might manually assign static addresses to servers and
routers, and let other devices configure themselves using stateless
autoconfiguration. This gives a semi-random address on Windows, or one based on
the MAC address on Linux, which isn't logged anywhere central. Or use DHCP in
v6, which as far as I can tell uses a randomly-generated endpoint ID that may
be based on MAC address + time. So you at least have a central log, but no
static names/addresses without some kind of two-step.
Figuring out what is using a given IPv6 address seems to require digging in
DHCP logs, or running DDNS to let DHCP update DNS  - or actively monitoring
every VLAN or switch. Which may be true for IPv4 if something is actively
hiding (spoofing ip or MAC addresses) but isn't the case for the majority of
issues - I've only ever seen it once.



--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager