On Wed, 22 Sep 2010 15:49:10 +0200 (CEST) Mikael Abrahamsson <[email protected]> wrote:
> On Wed, 22 Sep 2010, Christopher Morrow wrote: > > > I can see that in the ipv6 world I'd want to do the same sort of thing, > > assign addresses (and retain the capability to shift dns, tftp, wins, > > etc) around from a central control point. I'd also like to not have > > random things plugged into my LAN get globally reachable addresses > > (and/or access to my internal LAN's secrets, etc). > > Exactly, this is why people who need to have some kind of tracking need > DHCP. > > <http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap5.html> > > describes some of the mechanisms used for IPv4 to achieve this. > If your concerns about end-node trust are as strong as they seem to be, wouldn't you be using 802.1x link layer authentication to identify and track the end-user? Wouldn't that be a much more effective mechanism to track who was attached to the network, when and for what duration? I haven't had a chance to look into it yet, however I've been wondering if link layer authentication credentials could be used to do things like bootstrap SeND, providing the level of address/traffic auditability you're after. That would take advantage of existing mechanisms, rather than making fundamental changes to IPv6 operational models such as ND/RAs etc. Mechanisms like RFC4649 - "Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay Agent Remote-ID Option" and similar could also be used in that scenario, with the layer 2 device acting as a DHCPv6 relay. With it acting in that role, it would then be able to automatically configure basic and simple IPv6 source address filters and apply them to the link layer port. Regards, Mark. -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
