Educause Security Discussion mailing list archives

Re: Address allocation on the network - DHCP, IPv6 etc.

From: Robert Kerr <r.kerr () CRANFIELD AC UK>
Date: Fri, 19 Mar 2010 13:53:05 +0000

On Fri, 2010-03-19 at 00:12 +0000, Andrew Daviel wrote:

I have been looking at IPv6, trying to figure out how to do all the
things I do in IPv4. One of the issues is address allocation.

Is anyone actually running IPv6 on campus, or looking at it ?


I have been struggling with the same issues myself. Our campus backbone
+ internet connection have been IPv6 enabled for over a year now, but
working out how to deploy to clients is a sticking point. For trial
purposes setting static addresses on the clients works, but it doesn't
really scale.

It seems that in IPv6 one might manually assign static addresses to
servers and routers, and let other devices configure themselves using
stateless autoconfiguration. This gives a semi-random address on
Windows, or one based on the MAC address on Linux, which isn't logged
anywhere central.


It's really unfortunate that microsoft decided to use randomisation
instead of EUI-64 by default like everyone else. It is possible to
configure a windows system to use EUI-64 instead, but obviously this
only works for managed systems. If you don't have many non-managed
systems on your network and aren't too bothered about breaking IPv6
connectivity for incorrectly configured systems then some firewalls have
the ability to block any non-EUI-64 address.

Or use DHCP in v6, which as far as I can tell uses a randomly-generated
endpoint ID that may be based on MAC address + time. So you at least have
a central log, but no static names/addresses without some kind of two-step.


The latest version of ISC DHCP will try to extract the MAC address from
the DUID. I don't believe it's 100% accurate as dhcp clients vary, but
it should cope with the majority of cases. Doesn't help if you're using
a different DHCP server though.

Another big issue you're likely to run into is that of rogue RAs and
DHCPv6 servers. Whilst most switch vendors these days support DHCP
snooping to protect against random student machines giving out IPv4
addresses nobody seems to have implemented the same features for IPv6.
There's an internet draft:

 http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-04

But as far as I know it's not in any shipping product. Some potential
workarounds exist (eg http://ramond.sourceforge.net/) but all of these
seems to require you to have a server in every L2 broadcast domain on
your network.

--
 Robert Kerr

Current thread:

Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 18)
- <Possible follow-ups>
- Re: Address allocation on the network - DHCP, IPv6 etc. Dan Oachs (Mar 18)
- Re: Address allocation on the network - DHCP, IPv6 etc. Matthew Gracie (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. John Ladwig (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Robert Kerr (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 19)