RA+DHCPv6+DDNS in DCs
Brian E Carpenter
brian.e.carpenter at gmail.com
Wed Nov 16 23:46:03 CET 2011
On 2011-11-17 03:55, Mark Kamichoff wrote:
> On Wed, Nov 16, 2011 at 09:41:12AM +0100, Shane Kerr wrote:
>>> To further complicate the issue, firewall policies can also throw a
>>> wrench into this. In the case of stateless DHCPv6 each server might
>>> still use EUI-64 (not even thinking about privacy extensions!) for
>>> the last 64-bits of the address. Firewall policies will then have
>>> to rely on DNS since it would be absurd to swap out a NIC and have
>>> to update firewall configuration. With stateful DHCPv6 and the
>>> server assigning IPv6 addresses to servers, firewall policies would
>>> still have to rely on DNS or the addition of each server would
>>> require a reservation during provisioning to always be guaranteed to
>>> receive the same address.
>> I'm curious... how is this any different from IPv4?
> The above is based on the assumption that very few organizations use
> DHCPv4 assignment of IPv4 addresses for servers in DCs and the majority
> of firewall policies are built based on IPv4 addresses and prefixes, not
> DNS names.
> Although I'm sure there are some exceptions, in general I believe this
> to be a correct assumption for enterprises. Perhaps I am wrong?
I believe you're correct, but a related question is whether it is
also a correct assumption that most enterprises use an address management
tool of some kind, so that things like DNS, DHCP and ACL configurations
can be generated centrally. This impacts whether RA/SLAAC and DDNS
are part of the solution or part of the problem.
More information about the ipv6-ops