On Thu, 23 Sep 2010 07:33:24 +0200 (CEST) Mikael Abrahamsson <[email protected]> wrote:
> On Thu, 23 Sep 2010, Mark Smith wrote: > > > If your concerns about end-node trust are as strong as they seem to be, > > wouldn't you be using 802.1x link layer authentication to identify and > > track the end-user? Wouldn't that be a much more effective mechanism to > > track who was attached to the network, when and for what duration? > > I don't want to manage user accounts and credentials, also I'm not sure > 802.1x in any way handles what the user can do once they're connected. > > I'm talking about ETTH, one port in an L2 switch is a household. I know > what port goes to each household, so "trust" is not the issue. > > In IPv4 I hand out an IP address and I know to what port (option 82) this > IP address is at, and the L2 environment makes sure this port can only > source traffic from the IP it has been handed for the duration of the > lease. > Here's a suggestion of something that might go close to what you want - RA with M set, no Prefix Information Option That should trigger the end node to use Stateful DHCPv6 for it's configuration parameters, and as there is no PIO, the end-node is to consider all other destinations off link other than its own address (as per RFC5942 - "IPv6 Subnet Model: The Relationship between Links and Subnet Prefixes."), so it'll use the default router to get everywhere other than it's own addresses. By setting the Router Lifetime to 0 in the RA, that'd stop the router being used as a default router. However, then you'd need a DHCPv6 option to convey the default router. That still wouldn't eliminate the need for the RA though, as it is still being used to express the address configuration policy, so it pretty much makes a DHCPv6 default router option somewhat redundant. You may as well just set the RA Router Lifetime to a non-zero value to express the identity of the default router. > > "Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay Agent > > Remote-ID Option" and similar could also be used in that scenario, with > > the layer 2 device acting as a DHCPv6 relay. With it acting in that > > role, it would then be able to automatically configure basic and simple > > IPv6 source address filters and apply them to the link layer port. > > I'm sure this is one thing SAVI WG has looked at and is part of their > requirements. > Regards, Mark. > -- > Mikael Abrahamsson email: [email protected] -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
