Is there any progress being made towards functional IPv6 IP tracking in
PF? I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer
takes the udp_reflector data I was sending from my DHCPv6 servers. Its
like it just ignores it. ( I know it only ever looked for the
fingerprint/vendor/enterprise info and didn't update).
#1. Forwarding DHCPv6 using udp_reflector
#2. Tracking IA-NA address per host
#3. Making use of Framed-IPv6-Address RADIUS attribute
#4. Performing firewall SSO updates
Less Important (At least to me):
#5. Tracking IA-PD subnet per host (as a separate field).
#6. Figure out a way to forward ND packets to PF for sites that use SLAAC
(Maybe snmp queries to routers or sflow data?)
In the end, I think we would probably need to expand the pf.iplog table to
be more like (Or have a separate table for ipv6 addresses? I don't know
what is going to be most scalable/efficient):
mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd,
start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2,
start_time6na2, end_time6na2
Reasoning for so many fields:
In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6
addresses.
1 - SLAAC address
2 - SLAAC temporary (Privacy extensions address)
3 - DHCP6 address
4 - DHCP6 PD Prefix
Now this is an improperly configured network, but there could be a legit
use-case for it.. You should really only use SLAAC or DHCP6, not both.
A Windows client will prefer/use the DHCP6 address, but the SLAAC and
SLAACtemp address are both valid and usable.
A Mac client will prefer/use the SLAAC temp address, but the SLAAC and
DHCP6 address are still valid and usable.
Android devices dont support DHCP6 (Because google is really stupid_
IOS Devices behave like OSX devices.
Most home routers will use DHCP6 address for their own communication, some
will get a SLAAC address, some won't. Most don't even need the NA address
and only require a PD address.
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
