Hello Tim,
I am bringing this back up with a few questions !
> #2. Tracking IA-NA address per host
What do you mean ?
> #3. Making use of Framed-IPv6-Address RADIUS attribute
To update node ip records ?
> In the end, I think we would probably need to expand the pf.iplog table to be
> more like (Or have a separate table for ipv6 addresses? I don't know what is
> going to be most scalable/efficient):
>
> mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd,
> start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2,
> start_time6na2, end_time6na2
In this scenario, I assume:
- ip6 would be the DHCP6 address;
- ip6pd would be the DHCP6 PD prefix;
- ip6na1 would be the SLAAC address;
- ip6na2 would be the SLAAC temporary (Privacy extension address)
Am I assuming right ?
Also, can you elaborate a bit more on the “PD” just to make sure we are on the
same page.
Cheers!
— dw.
--
Derek Wuelfrath
[email protected] <mailto:[email protected]>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <https://sogo.nu/>) and
PacketFence (www.packetfence.org <https://packetfence.org/>)
> On Nov 10, 2016, at 08:23, Tim DeNike <[email protected]> wrote:
>
> Is there any progress being made towards functional IPv6 IP tracking in PF?
> I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer takes
> the udp_reflector data I was sending from my DHCPv6 servers. Its like it
> just ignores it. ( I know it only ever looked for the
> fingerprint/vendor/enterprise info and didn't update).
>
> #1. Forwarding DHCPv6 using udp_reflector
> #2. Tracking IA-NA address per host
> #3. Making use of Framed-IPv6-Address RADIUS attribute
> #4. Performing firewall SSO updates
>
> Less Important (At least to me):
> #5. Tracking IA-PD subnet per host (as a separate field).
> #6. Figure out a way to forward ND packets to PF for sites that use SLAAC
> (Maybe snmp queries to routers or sflow data?)
>
> In the end, I think we would probably need to expand the pf.iplog table to be
> more like (Or have a separate table for ipv6 addresses? I don't know what is
> going to be most scalable/efficient):
>
> mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd,
> start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2,
> start_time6na2, end_time6na2
>
>
> Reasoning for so many fields:
>
> In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6
> addresses.
>
> 1 - SLAAC address
> 2 - SLAAC temporary (Privacy extensions address)
> 3 - DHCP6 address
> 4 - DHCP6 PD Prefix
>
> Now this is an improperly configured network, but there could be a legit
> use-case for it.. You should really only use SLAAC or DHCP6, not both.
>
> A Windows client will prefer/use the DHCP6 address, but the SLAAC and
> SLAACtemp address are both valid and usable.
>
> A Mac client will prefer/use the SLAAC temp address, but the SLAAC and DHCP6
> address are still valid and usable.
>
> Android devices dont support DHCP6 (Because google is really stupid_
>
> IOS Devices behave like OSX devices.
>
> Most home routers will use DHCP6 address for their own communication, some
> will get a SLAAC address, some won't. Most don't even need the NA address
> and only require a PD address.
>
>
>
>
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.
> http://sdm.link/xeonphi_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
