Educause Security Discussion mailing list archives

Re: Address allocation on the network - DHCP, IPv6 etc.

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Fri, 19 Mar 2010 07:26:48 -0500

If I might ask, what sort of v6 forum are you looking at?  

We're *very* large (~100k nodes, 32 institutions, 54 campuses, 80+ sites), starting our v6 design and implementation 
planning, and I'm real anxious to find a good forum, preferably with large-enterprise experience.

As well as to participate in the security-relevant discussions there, or in EDUCAUSE SECURITY.

Pointers?

   -jml

Andrew Daviel <advax () TRIUMF CA> 2010-03-18 19:12 >>>

Some fallout from a discussion on an IPv6 forum -

How are people tracking or authenticating devices on the network ?


Currently, for wired devices that stay in one location, we add the MAC 
address to DHCP and create a DNS entry. The name, in our minds, is the 
device for practical purposes. If we get a complaint about that name or 
ip address, we know where and what it is.

(we have a fairly small site with few troublemakers - we haven't seen 
anything that would justify the effort of implementing 802.1x or locking 
down walljacks in the switch)


I have been looking at IPv6, trying to figure out how to do all the 
things I do in IPv4. One of the issues is address allocation.

Is anyone actually running IPv6 on campus, or looking at it ?


It seems that in IPv6 one might manually assign static addresses to servers and 
routers, and let other devices configure themselves using stateless 
autoconfiguration. This gives a semi-random address on Windows, or one based on 
the MAC address on Linux, which isn't logged anywhere central. Or use DHCP in 
v6, which as far as I can tell uses a randomly-generated endpoint ID that may 
be based on MAC address + time. So you at least have a central log, but no 
static names/addresses without some kind of two-step.
Figuring out what is using a given IPv6 address seems to require digging in 
DHCP logs, or running DDNS to let DHCP update DNS  - or actively monitoring 
every VLAN or switch. Which may be true for IPv4 if something is actively 
hiding (spoofing ip or MAC addresses) but isn't the case for the majority of 
issues - I've only ever seen it once.



-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

Current thread:

Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 18)
- <Possible follow-ups>
- Re: Address allocation on the network - DHCP, IPv6 etc. Dan Oachs (Mar 18)
- Re: Address allocation on the network - DHCP, IPv6 etc. Matthew Gracie (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. John Ladwig (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Robert Kerr (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 19)