Educause Security Discussion mailing list archives

Re: Address allocation on the network - DHCP, IPv6 etc.

From: Dan Oachs <doachs () GAC EDU>
Date: Thu, 18 Mar 2010 19:38:50 -0500

We just recently deployed IPv6 to our entire network.  We are a smallish
college so it was rather easy to do.

We are manually configuring the servers and letting all the other
computers do auto configuration.  I think DHCPv6 was not really an
option because I don't think all clients currently support it without
some additional software but pretty much everything seems to work ok
with auto configuration.

So when a new computer connects to our network, they get an auto
configured IPv6 address and a temporary IPv4 address from DHCP.  Since
they don't get a DNS server from the v6 auto configuration, they use
v4.  We then redirect all DNS to redirect them to a  registration page.
Once registered, they are ready to go for v4 and v6.  There are some
holes in this setup but it works well enough for us.

The Apple computers are pretty easy to track unless they have enabled
the privacy settings since the MAC is in the v6 address.  We can just
look that up in the v4 registration system.  Right now the only way we
have found to track the rest is to have a system actively monitor each
network and record the v6 address to MAC pairing.  We stick that info
into a database that we can look at later.  We only keep that info for a
few days and then let it expire.

Curious to know what others are doing as well.

   Thanks,
      Dan Oachs
      Gustavus Adolphus College


Andrew Daviel wrote:

Some fallout from a discussion on an IPv6 forum -

How are people tracking or authenticating devices on the network ?


Currently, for wired devices that stay in one location, we add the MAC
address to DHCP and create a DNS entry. The name, in our minds, is the
device for practical purposes. If we get a complaint about that name
or ip address, we know where and what it is.

(we have a fairly small site with few troublemakers - we haven't seen
anything that would justify the effort of implementing 802.1x or
locking down walljacks in the switch)


I have been looking at IPv6, trying to figure out how to do all the
things I do in IPv4. One of the issues is address allocation.

Is anyone actually running IPv6 on campus, or looking at it ?


It seems that in IPv6 one might manually assign static addresses to
servers and routers, and let other devices configure themselves using
stateless autoconfiguration. This gives a semi-random address on
Windows, or one based on the MAC address on Linux, which isn't logged
anywhere central. Or use DHCP in v6, which as far as I can tell uses a
randomly-generated endpoint ID that may be based on MAC address +
time. So you at least have a central log, but no static
names/addresses without some kind of two-step.
Figuring out what is using a given IPv6 address seems to require
digging in DHCP logs, or running DDNS to let DHCP update DNS  - or
actively monitoring every VLAN or switch. Which may be true for IPv4
if something is actively hiding (spoofing ip or MAC addresses) but
isn't the case for the majority of issues - I've only ever seen it once.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 18)
- <Possible follow-ups>
- Re: Address allocation on the network - DHCP, IPv6 etc. Dan Oachs (Mar 18)
- Re: Address allocation on the network - DHCP, IPv6 etc. Matthew Gracie (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. John Ladwig (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Robert Kerr (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 19)