Re: IPv6 Deployment for the LAN

[Steven Bellovin <smb () cs columbia edu>]

On Oct 17, 2009, at 8:55 PM, Ray Soucy wrote:

> Looking for general feedback on IPv6 deployment to the edge.
>
> As it turns out delivering IPv6 to the edge in an academic setting has
> been a challenge.  Common wisdom says to rely on SLAAC for IPv6
> addressing, and in a perfect world it would make sense.
>
> Given that historically we have relied on DHCP for a means of NAC and
> host registration, like many academic institutions, the idea of
> sweeping changes to accommodate IPv6 was just not going to happen in
> the near future.

...

My question is this: what are your goals?  What are you trying to  
achieve?  Force all authorized machines to register?  If so, why?   
We'll leave out for now whether or not there's even much point to  
that.  My university -- and I'm just a user of campus computing  
facilities; I don't run them -- has concluded that there's no  
particular benefit to requiring registration or permission; it's one  
more server complex to run, one more database to maintain, and one  
more thing to break, and the benefits don't seem to be worth the  
cost.  And given that we've had incidents of IP and MAC address  
spoofing, where it took the switch logs to figure out what was going  
on, I'm very far from convinced that registration is of any benefit  
anyway.  In other words -- yes, I agree with the campus policy -- but  
that's not the question I'm asking.

I ask because there may be other ways to achieve your actual goal, but  
without knowing that it's hard to make recommendations.  The most  
obvious answer is accountability, but physical port number may be a  
better approach there, depending on how the campus network is run.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb