IPv6 equivalent to DHCP Option 82 for geolocating customer MACs to certain ports of Multi-port Layer 2 demarcation devices

[Mikael Abrahamsson]

On Sun, 8 May 2011, Florian Weimer wrote:

> * Ben Jencks:
>
>> If you don't want to use stateful DHCPv6, you don't actually get to
>> assign addresses, so you just have to observe what the clients do. You
>> can do this with ARP table scraping on the router and MAC table
>> scraping on the access switches.
>
> Is there a technology which allows you to run such a configuration in
> a secure way without sacrificing at least a /64 per host?

It depends on what you mean by "secure". SLAAC is inherently "host can 
take whatever address it want as long as it's not already in use".

If you want to know what machine had what IP at a certain time, you either 
have to make sure that machine is alone in that /64 and use SLAAC, or you 
have to log all IP/MAC combinations continously and also make sure no 
spoofing can be done (IETF SAVI WG functionality), or you should use 
stateful DHCPv6 for address handout and do the same kind of antispoofing 
bsaed on DHCPv6 snooping.

Another way of course is to statically handle addresses, give each 
customer a /125 or something and then just do uRPF, then you're sure who 
had what IPv6 address.

Inherently SLAAC is "flexible" and "easy", which usually implies "not 
secure" :P

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se