Educause Security Discussion mailing list archives
Re: Address allocation on the network - DHCP, IPv6 etc.
From: Dan Oachs <doachs () GAC EDU>
Date: Thu, 18 Mar 2010 19:38:50 -0500
We just recently deployed IPv6 to our entire network. We are a smallish college so it was rather easy to do. We are manually configuring the servers and letting all the other computers do auto configuration. I think DHCPv6 was not really an option because I don't think all clients currently support it without some additional software but pretty much everything seems to work ok with auto configuration. So when a new computer connects to our network, they get an auto configured IPv6 address and a temporary IPv4 address from DHCP. Since they don't get a DNS server from the v6 auto configuration, they use v4. We then redirect all DNS to redirect them to a registration page. Once registered, they are ready to go for v4 and v6. There are some holes in this setup but it works well enough for us. The Apple computers are pretty easy to track unless they have enabled the privacy settings since the MAC is in the v6 address. We can just look that up in the v4 registration system. Right now the only way we have found to track the rest is to have a system actively monitor each network and record the v6 address to MAC pairing. We stick that info into a database that we can look at later. We only keep that info for a few days and then let it expire. Curious to know what others are doing as well. Thanks, Dan Oachs Gustavus Adolphus College Andrew Daviel wrote:
Some fallout from a discussion on an IPv6 forum - How are people tracking or authenticating devices on the network ? Currently, for wired devices that stay in one location, we add the MAC address to DHCP and create a DNS entry. The name, in our minds, is the device for practical purposes. If we get a complaint about that name or ip address, we know where and what it is. (we have a fairly small site with few troublemakers - we haven't seen anything that would justify the effort of implementing 802.1x or locking down walljacks in the switch) I have been looking at IPv6, trying to figure out how to do all the things I do in IPv4. One of the issues is address allocation. Is anyone actually running IPv6 on campus, or looking at it ? It seems that in IPv6 one might manually assign static addresses to servers and routers, and let other devices configure themselves using stateless autoconfiguration. This gives a semi-random address on Windows, or one based on the MAC address on Linux, which isn't logged anywhere central. Or use DHCP in v6, which as far as I can tell uses a randomly-generated endpoint ID that may be based on MAC address + time. So you at least have a central log, but no static names/addresses without some kind of two-step. Figuring out what is using a given IPv6 address seems to require digging in DHCP logs, or running DDNS to let DHCP update DNS - or actively monitoring every VLAN or switch. Which may be true for IPv4 if something is actively hiding (spoofing ip or MAC addresses) but isn't the case for the majority of issues - I've only ever seen it once.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 18)
- <Possible follow-ups>
- Re: Address allocation on the network - DHCP, IPv6 etc. Dan Oachs (Mar 18)
- Re: Address allocation on the network - DHCP, IPv6 etc. Matthew Gracie (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. John Ladwig (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Robert Kerr (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 19)