Educause Security Discussion mailing list archives
Re: Address allocation on the network - DHCP, IPv6 etc.
From: Robert Kerr <r.kerr () CRANFIELD AC UK>
Date: Fri, 19 Mar 2010 13:53:05 +0000
On Fri, 2010-03-19 at 00:12 +0000, Andrew Daviel wrote:
I have been looking at IPv6, trying to figure out how to do all the things I do in IPv4. One of the issues is address allocation.
Is anyone actually running IPv6 on campus, or looking at it ?
I have been struggling with the same issues myself. Our campus backbone + internet connection have been IPv6 enabled for over a year now, but working out how to deploy to clients is a sticking point. For trial purposes setting static addresses on the clients works, but it doesn't really scale.
It seems that in IPv6 one might manually assign static addresses to servers and routers, and let other devices configure themselves using stateless autoconfiguration. This gives a semi-random address on Windows, or one based on the MAC address on Linux, which isn't logged anywhere central.
It's really unfortunate that microsoft decided to use randomisation instead of EUI-64 by default like everyone else. It is possible to configure a windows system to use EUI-64 instead, but obviously this only works for managed systems. If you don't have many non-managed systems on your network and aren't too bothered about breaking IPv6 connectivity for incorrectly configured systems then some firewalls have the ability to block any non-EUI-64 address.
Or use DHCP in v6, which as far as I can tell uses a randomly-generated endpoint ID that may be based on MAC address + time. So you at least have a central log, but no static names/addresses without some kind of two-step.
The latest version of ISC DHCP will try to extract the MAC address from the DUID. I don't believe it's 100% accurate as dhcp clients vary, but it should cope with the majority of cases. Doesn't help if you're using a different DHCP server though. Another big issue you're likely to run into is that of rogue RAs and DHCPv6 servers. Whilst most switch vendors these days support DHCP snooping to protect against random student machines giving out IPv4 addresses nobody seems to have implemented the same features for IPv6. There's an internet draft: http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-04 But as far as I know it's not in any shipping product. Some potential workarounds exist (eg http://ramond.sourceforge.net/) but all of these seems to require you to have a server in every L2 broadcast domain on your network. -- Robert Kerr
Current thread:
- Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 18)
- <Possible follow-ups>
- Re: Address allocation on the network - DHCP, IPv6 etc. Dan Oachs (Mar 18)
- Re: Address allocation on the network - DHCP, IPv6 etc. Matthew Gracie (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. John Ladwig (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Robert Kerr (Mar 19)
- Re: Address allocation on the network - DHCP, IPv6 etc. Andrew Daviel (Mar 19)