tjc at ecs.soton.ac.uk
Mon Feb 11 15:26:46 CET 2013
On 10 Feb 2013, at 01:34, Erik Kline <ek at google.com> wrote:
>> I certainly know that it's doable, I'm more curious to know how much the two can differ (ULA, PD, PI, privacy, etc.). I'm looking into using two prefixes because of the privacy options ($WORK is health care, so some data is highly sensitive), but there may be other reasons to use two prefixes.
> I believe I would just use privacy/temporary addresses by default, and
> pull MAC<->L3 mappings off the switches/routers for the purposes of
> auditing. That way you're more likely to notice when someone changes
> IP addresses (IPv6 or otherwise).
This is I think what most campus enterprises are doing. It's certainly exactly what we do here.
Below is a snapshot for the last 7 days for one of my devices, searching by Ethernet address, and listing the switch ports and IPv4/IPv6 addresses, including privacy addresses, that have been observed through polling devices as Erik suggests. This is using NAV, which is a nice open source package we have run for a while now. It's developed by the Norwegian academic network team at UNINETT. But I'm sure other packages are quite capable of doing this too. Or they should be!
The example below shows the device's link local IPv6 address in use for the whole time period, along with the IPv4 address, and IPv6 privacy addresses changing over time. Note the EUI-64 doesn't actually show up, presumably since nothing connects *to* this device by its static global address, and it only uses its current privacy address to initiate connections externally.
Apologies if the format is a bit odd for non graphic UIs :)
MAC Search results
Switch Module Interface Start time End time Mac
b32-l3-cat1.ecs.soton.ac.uk Gi4/0/44 2013-02-06 12:23 Still active c8:2a:14:20:24:71
2013-02-05 16:53 2013-02-06 11:25
IP search results
IP MAC Start time End time
126.96.36.199 c8:2a:14:20:24:71 2013-02-05 16:51:57 Still active
2001:630:d0:f111:5420:e84f:86fe:c3e5 c8:2a:14:20:24:71 2013-02-09 16:22:01 2013-02-10 19:51:58
2001:630:d0:f111:943b:a03b:38ac:8b0 c8:2a:14:20:24:71 2013-02-07 16:52:08 2013-02-08 20:22:00
2001:630:d0:f111:a83e:a90c:2760:f20c c8:2a:14:20:24:71 2013-02-10 02:21:59 Still active
2013-02-09 19:52:03 2013-02-10 01:51:59
2013-02-09 13:52:01 2013-02-09 17:51:58
2013-02-09 09:22:03 2013-02-09 13:21:57
2013-02-09 01:21:58 2013-02-09 07:51:57
2013-02-08 07:52:01 2013-02-09 00:21:56
2013-02-07 22:21:59 2013-02-08 07:21:56
2013-02-07 09:21:58 2013-02-07 20:51:58
2013-02-05 16:51:57 2013-02-07 08:21:57
2001:630:d0:f111:bde3:17c9:1ac8:af3a c8:2a:14:20:24:71 2013-02-10 16:22:02 Still active
2001:630:d0:f111:edee:ce84:c7f1:4dfa c8:2a:14:20:24:71 2013-02-06 16:51:55 2013-02-07 20:51:58
2001:630:d0:f111:f5c4:fe31:6493:eaec c8:2a:14:20:24:71 2013-02-08 16:51:59 2013-02-09 20:21:58
fe80::ca2a:14ff:fe20:2471 c8:2a:14:20:24:71 2013-02-05 16:51:55 Still active
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ipv6-ops