multiple prefixes

Tim Chown tjc at
Mon Feb 11 15:26:46 CET 2013

On 10 Feb 2013, at 01:34, Erik Kline <ek at> wrote:

>> I certainly know that it's doable, I'm more curious to know how much the two can differ (ULA, PD, PI, privacy, etc.). I'm looking into using two prefixes because of the privacy options ($WORK is health care, so some data is highly sensitive), but there may be other reasons to use two prefixes.
> I believe I would just use privacy/temporary addresses by default, and
> pull MAC<->L3 mappings off the switches/routers for the purposes of
> auditing.  That way you're more likely to notice when someone changes
> IP addresses (IPv6 or otherwise).

This is I think what most campus enterprises are doing. It's certainly exactly what we do here.  

Below is a snapshot for the last 7 days for one of my devices, searching by Ethernet address, and listing the switch ports and IPv4/IPv6 addresses, including privacy addresses, that have been observed through polling devices as Erik suggests. This is using NAV, which is a nice open source package we have run for a while now. It's developed by the Norwegian academic network team at UNINETT. But  I'm sure other packages are quite capable of doing this too.  Or they should be!

The example below shows the device's link local IPv6 address in use for the whole time period, along with the IPv4 address, and IPv6 privacy addresses changing over time. Note the EUI-64 doesn't actually show up, presumably since nothing connects *to* this device by its static global address, and it only uses its current privacy address to initiate connections externally.

Apologies if the format is a bit odd for non graphic UIs :)

MAC Search results
2 hits
Switch	Module	Interface	Start time	End time	Mac			Gi4/0/44		2013-02-06 12:23	Still active	c8:2a:14:20:24:71
2013-02-05 16:53	2013-02-06 11:25	
2 hits
IP search results
16 hits
IP		MAC	Start time	End time		c8:2a:14:20:24:71	2013-02-05 16:51:57	Still active
2001:630:d0:f111:5420:e84f:86fe:c3e5		c8:2a:14:20:24:71	2013-02-09 16:22:01	2013-02-10 19:51:58
2001:630:d0:f111:943b:a03b:38ac:8b0		c8:2a:14:20:24:71	2013-02-07 16:52:08	2013-02-08 20:22:00
2001:630:d0:f111:a83e:a90c:2760:f20c		c8:2a:14:20:24:71	2013-02-10 02:21:59	Still active
2013-02-09 19:52:03	2013-02-10 01:51:59
2013-02-09 13:52:01	2013-02-09 17:51:58
2013-02-09 09:22:03	2013-02-09 13:21:57
2013-02-09 01:21:58	2013-02-09 07:51:57
2013-02-08 07:52:01	2013-02-09 00:21:56
2013-02-07 22:21:59	2013-02-08 07:21:56
2013-02-07 09:21:58	2013-02-07 20:51:58
2013-02-05 16:51:57	2013-02-07 08:21:57
2001:630:d0:f111:bde3:17c9:1ac8:af3a		c8:2a:14:20:24:71	2013-02-10 16:22:02	Still active
2001:630:d0:f111:edee:ce84:c7f1:4dfa		c8:2a:14:20:24:71	2013-02-06 16:51:55	2013-02-07 20:51:58
2001:630:d0:f111:f5c4:fe31:6493:eaec		c8:2a:14:20:24:71	2013-02-08 16:51:59	2013-02-09 20:21:58
fe80::ca2a:14ff:fe20:2471		c8:2a:14:20:24:71	2013-02-05 16:51:55	Still active
16 hits


-------------- next part --------------
An HTML attachment was scrubbed...

More information about the ipv6-ops mailing list