On Thu, September 5, 2013 12:14, Dan Wing wrote: [...] > The best solution is improving tools to understand multiple IPv6 > addresses. Consider an abuse report (from the Internet) reported to the > enterprise will see the IPv6 privacy address, and the enterprise needs to > determine which host was using that address. Thus the tooling needs to be > capable auditing for multiple IPv6 addresses assigned to a host. If the > tooling can handle multiple IPv6 addresses assigned to a host for > Internet-destined traffic, the tooling should be capable of handling > multiple IPv6 addresses for enterprise-internal traffic, too?
This would be why I would lean towards an DHCP-based solution: you configure certain subnets/prefixes to have "random" addresses assigned and others to have MAC-based ones (or 'static-y' reservations). You'd keep the assignment logs around for some period of time. If you're doing SLAAC and create an RA option, then to keep track system, you'd probably have to configure switches and routers to create a (syslog) entry every time a new machine is attached to a port. You need to keep track of this anyway for MAC tables, so perhaps some (togglable) code could be added to make a note of new and changed entries. You send that to a central logging host (which is generally best practice) for auditing purposes.
