IPv6 equivalent to DHCP Option 82 for geolocating customer MACs to certain ports of Multi-port Layer 2 demarcation devices
swmike at swm.pp.se
Sun May 8 10:00:08 CEST 2011
On Sun, 8 May 2011, Florian Weimer wrote:
> * Ben Jencks:
>> If you don't want to use stateful DHCPv6, you don't actually get to
>> assign addresses, so you just have to observe what the clients do. You
>> can do this with ARP table scraping on the router and MAC table
>> scraping on the access switches.
> Is there a technology which allows you to run such a configuration in
> a secure way without sacrificing at least a /64 per host?
It depends on what you mean by "secure". SLAAC is inherently "host can
take whatever address it want as long as it's not already in use".
If you want to know what machine had what IP at a certain time, you either
have to make sure that machine is alone in that /64 and use SLAAC, or you
have to log all IP/MAC combinations continously and also make sure no
spoofing can be done (IETF SAVI WG functionality), or you should use
stateful DHCPv6 for address handout and do the same kind of antispoofing
bsaed on DHCPv6 snooping.
Another way of course is to statically handle addresses, give each
customer a /125 or something and then just do uRPF, then you're sure who
had what IPv6 address.
Inherently SLAAC is "flexible" and "easy", which usually implies "not
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the ipv6-ops