Re: [RRG] Consensus check: renumbering - missing dimension

[Bruce Curtis <bruce.curtis@ndsu.edu>]

On Aug 24, 2008, at 6:22 PM, Tony Li wrote:
> Do folks really feel that stateless autoconfig is a significant step  
> forward
> vs. DHCP?  Current dual-stack site admins would be especially  
> welcome to
> opine.
>
> Tony


 When we enabled IPv6 on our whole campus network the main issue was  
that autoconfig did not give our security folks a log of the MAC to IP  
mapping over time.  So we set up some scripts to grab the Neighbor  
Cache periodically as a temporary solution until we implemented  
DHCPv6.  I've talked to several other universities who have either  
implemented equivalent scripts (even earlier than us) or plan to as  
they implement IPv6.

 Looking more closely at DHCPv6 our Neighbor Cache scripts may be  
more permanent than we planned since the client id in DHCPv6 may be  
based on the MAC of any interface on the host which is different than  
DHCP in IPv4 where the client id was based on the MAC of the interface  
the DHCP request came from.  It looks like there is a reason for the  
difference, I just didn't spot the difference earlier.
 Any MAC address on the machine will help our security folks identify  
a machine but on the practical side we find it quite useful to block  
the MAC addresses of hosts, for example if they are compromised etc.   
And for the MAC blocking to be successful we need to have the correct  
MAC that a host uses on a given subnet.

 Longer term, security aside, we also will want DHCPv6 for more  
purely network administration reasons.  We have had devices from unix  
workstations to lightweight Access Points and VoIP phones that learn  
extra info via DHCP.  The workstations learned the address of tftp  
servers, the APs the addresses of controllers and the phones several  
different IP addresses.  The APs now have at least two other methods  
of learning the IPs of the controllers and long term it is possible  
that phones would provide options other than DHCP also.
 But in addition to learning extra addresses we have also used the  
vendor class info to assign devices to different IP pools based on the  
vendor.

 I expect that just as we will have both IPv4 and IPv6 in our campus  
for quite a while we will likely be using both DHCPv6 and autoconfig  
for quite a while (especially with vendors like Apple saying they have  
no plans to implement DHCPv6).


---
Bruce Curtis                         bruce.curtis@ndsu.edu
Certified NetAnalyst II                701-231-8527
North Dakota State University


--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg