Hello Tim, First of all, thanks for your detailled explanation of the required stuff to cover all the possible IPv6 addressing cases.
We will do some work to accomplish that missing feature in the next coming weeks or so. I’ll try to update this thread with some links to our Github repo for related work. Cheers! -dw. -- Derek Wuelfrath [email protected] Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) > On Nov 14, 2016, at 12:59, Tim DeNike <[email protected]> wrote: > > Nada? > > On Thu, Nov 10, 2016 at 8:23 AM, Tim DeNike <[email protected]> wrote: > Is there any progress being made towards functional IPv6 IP tracking in PF? > I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer takes > the udp_reflector data I was sending from my DHCPv6 servers. Its like it > just ignores it. ( I know it only ever looked for the > fingerprint/vendor/enterprise info and didn't update). > > #1. Forwarding DHCPv6 using udp_reflector > #2. Tracking IA-NA address per host > #3. Making use of Framed-IPv6-Address RADIUS attribute > #4. Performing firewall SSO updates > > Less Important (At least to me): > #5. Tracking IA-PD subnet per host (as a separate field). > #6. Figure out a way to forward ND packets to PF for sites that use SLAAC > (Maybe snmp queries to routers or sflow data?) > > In the end, I think we would probably need to expand the pf.iplog table to be > more like (Or have a separate table for ipv6 addresses? I don't know what is > going to be most scalable/efficient): > > mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd, > start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2, > start_time6na2, end_time6na2 > > > Reasoning for so many fields: > > In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6 > addresses. > > 1 - SLAAC address > 2 - SLAAC temporary (Privacy extensions address) > 3 - DHCP6 address > 4 - DHCP6 PD Prefix > > Now this is an improperly configured network, but there could be a legit > use-case for it.. You should really only use SLAAC or DHCP6, not both. > > A Windows client will prefer/use the DHCP6 address, but the SLAAC and > SLAACtemp address are both valid and usable. > > A Mac client will prefer/use the SLAAC temp address, but the SLAAC and DHCP6 > address are still valid and usable. > > Android devices dont support DHCP6 (Because google is really stupid_ > > IOS Devices behave like OSX devices. > > Most home routers will use DHCP6 address for their own communication, some > will get a SLAAC address, some won't. Most don't even need the NA address > and only require a PD address. > > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
