Educause Security Discussion mailing list archives
Address allocation on the network - DHCP, IPv6 etc.
From: Andrew Daviel <advax () TRIUMF CA>
Date: Thu, 18 Mar 2010 17:12:05 -0700
Some fallout from a discussion on an IPv6 forum - How are people tracking or authenticating devices on the network ? Currently, for wired devices that stay in one location, we add the MAC address to DHCP and create a DNS entry. The name, in our minds, is the device for practical purposes. If we get a complaint about that name or ip address, we know where and what it is. (we have a fairly small site with few troublemakers - we haven't seen anything that would justify the effort of implementing 802.1x or locking down walljacks in the switch) I have been looking at IPv6, trying to figure out how to do all the things I do in IPv4. One of the issues is address allocation. Is anyone actually running IPv6 on campus, or looking at it ? It seems that in IPv6 one might manually assign static addresses to servers and routers, and let other devices configure themselves using stateless autoconfiguration. This gives a semi-random address on Windows, or one based on the MAC address on Linux, which isn't logged anywhere central. Or use DHCP in v6, which as far as I can tell uses a randomly-generated endpoint ID that may be based on MAC address + time. So you at least have a central log, but no static names/addresses without some kind of two-step. Figuring out what is using a given IPv6 address seems to require digging in DHCP logs, or running DDNS to let DHCP update DNS - or actively monitoring every VLAN or switch. Which may be true for IPv4 if something is actively hiding (spoofing ip or MAC addresses) but isn't the case for the majority of issues - I've only ever seen it once. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 (Pacific Time) Network Security Manager
Current thread:
- Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 18)
- <Possible follow-ups>
- Re: Address allocation on the network - DHCP, IPv6 etc. Dan Oachs (Mar 18)
- Re: Address allocation on the network - DHCP, IPv6 etc. Matthew Gracie (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. John Ladwig (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Robert Kerr (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 19)