PTR records for IPv6
David Magda
dmagda at ee.ryerson.ca
Thu Sep 5 18:38:30 CEST 2013
On Thu, September 5, 2013 12:14, Dan Wing wrote:
[...]
> The best solution is improving tools to understand multiple IPv6
> addresses. Consider an abuse report (from the Internet) reported to the
> enterprise will see the IPv6 privacy address, and the enterprise needs to
> determine which host was using that address. Thus the tooling needs to be
> capable auditing for multiple IPv6 addresses assigned to a host. If the
> tooling can handle multiple IPv6 addresses assigned to a host for
> Internet-destined traffic, the tooling should be capable of handling
> multiple IPv6 addresses for enterprise-internal traffic, too?
This would be why I would lean towards an DHCP-based solution: you
configure certain subnets/prefixes to have "random" addresses assigned and
others to have MAC-based ones (or 'static-y' reservations). You'd keep the
assignment logs around for some period of time.
If you're doing SLAAC and create an RA option, then to keep track system,
you'd probably have to configure switches and routers to create a (syslog)
entry every time a new machine is attached to a port. You need to keep
track of this anyway for MAC tables, so perhaps some (togglable) code
could be added to make a note of new and changed entries. You send that to
a central logging host (which is generally best practice) for auditing
purposes.
More information about the ipv6-ops
mailing list