IA-NA = Identity association for Network Address. DHCP assigned address
IA-PD = DHCP delegated prefix. An entire subnet that was assigned by
DHCPv6. This is how you typically get IPv6 subnets from your broadband
provider. The NAT router that requested that prefix will assign it to the
LAN interfaces and advertise the subnet to clients attached to it. The
Prefix could be a /64 or /60 in most common cases, but some ISPs will let a
user get a /56 or /48. So the end user could potentially have between 1
and 65536 subnets of 18 quintillion IPs.
A registered device could be an ASUS router that has an IPv4 address, an
IPv6 NA address that it puts on its WAN interface (Optional, not really
needed), and an IPv6 PD Prefix that it puts on one or more of its LAN
interfaces.
Yes, on the Framed-IPv6-Address (Some NASs can also send the
framed-ipv6-prefix). This is most useful in a SLAAC environment like
wireless. You cant really make full use of DHCPv6 in a wireless
environment because Google doesnt know what they are doing and doesnt
support DHCPv6 properly on Android devices (They break if you set managed
config flag and non autonomous bits in RAs). Neighbor Advertisement
messages would be difficult to forward to PF in a network with many remote
L3 segments. Most wireless controllers will snoop the SLAAC address the
clients are using and send it back to RADIUS. Some switches do to (Brocade
in our case, Cisco does as well I believe).
On Fri, Feb 24, 2017 at 10:22 AM, Derek Wuelfrath <[email protected]>
wrote:
> Hello Tim,
>
> I am bringing this back up with a few questions !
>
> #2. Tracking IA-NA address per host
>
>
> What do you mean ?
>
> #3. Making use of Framed-IPv6-Address RADIUS attribute
>
>
> To update node ip records ?
>
> In the end, I think we would probably need to expand the pf.iplog table to
> be more like (Or have a separate table for ipv6 addresses? I don't know
> what is going to be most scalable/efficient):
>
> mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd,
> start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2,
> start_time6na2, end_time6na2
>
>
> In this scenario, I assume:
> - ip6 would be the DHCP6 address;
> - ip6pd would be the DHCP6 PD prefix;
> - ip6na1 would be the SLAAC address;
> - ip6na2 would be the SLAAC temporary (Privacy extension address)
>
> Am I assuming right ?
>
> Also, can you elaborate a bit more on the “PD” just to make sure we are on
> the same page.
>
> Cheers!
> — dw.
>
> --
> Derek Wuelfrath
> [email protected]
> Inverse inc. :: Leaders behind SOGo (www.sogo.nu <https://sogo.nu>) and
> PacketFence (www.packetfence.org <https://packetfence.org>)
>
> On Nov 10, 2016, at 08:23, Tim DeNike <[email protected]> wrote:
>
> Is there any progress being made towards functional IPv6 IP tracking in
> PF? I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer
> takes the udp_reflector data I was sending from my DHCPv6 servers. Its
> like it just ignores it. ( I know it only ever looked for the
> fingerprint/vendor/enterprise info and didn't update).
>
> #1. Forwarding DHCPv6 using udp_reflector
> #2. Tracking IA-NA address per host
> #3. Making use of Framed-IPv6-Address RADIUS attribute
> #4. Performing firewall SSO updates
>
> Less Important (At least to me):
> #5. Tracking IA-PD subnet per host (as a separate field).
> #6. Figure out a way to forward ND packets to PF for sites that use SLAAC
> (Maybe snmp queries to routers or sflow data?)
>
> In the end, I think we would probably need to expand the pf.iplog table to
> be more like (Or have a separate table for ipv6 addresses? I don't know
> what is going to be most scalable/efficient):
>
> mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd,
> start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2,
> start_time6na2, end_time6na2
>
>
> Reasoning for so many fields:
>
> In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6
> addresses.
>
> 1 - SLAAC address
> 2 - SLAAC temporary (Privacy extensions address)
> 3 - DHCP6 address
> 4 - DHCP6 PD Prefix
>
> Now this is an improperly configured network, but there could be a legit
> use-case for it.. You should really only use SLAAC or DHCP6, not both.
>
> A Windows client will prefer/use the DHCP6 address, but the SLAAC and
> SLAACtemp address are both valid and usable.
>
> A Mac client will prefer/use the SLAAC temp address, but the SLAAC and
> DHCP6 address are still valid and usable.
>
> Android devices dont support DHCP6 (Because google is really stupid_
>
> IOS Devices behave like OSX devices.
>
> Most home routers will use DHCP6 address for their own communication,
> some will get a SLAAC address, some won't. Most don't even need the NA
> address and only require a PD address.
>
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi_______
> ________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
