PTR records for IPv6

Dan Wing dwing at cisco.com
Thu Sep 5 18:49:12 CEST 2013


On Sep 5, 2013, at 9:38 AM, David Magda <dmagda at ee.ryerson.ca> wrote:

> On Thu, September 5, 2013 12:14, Dan Wing wrote:
> [...]
>> The best solution is improving tools to understand multiple IPv6
>> addresses.  Consider an abuse report (from the Internet) reported to the
>> enterprise will see the IPv6 privacy address, and the enterprise needs to
>> determine which host was using that address.  Thus the tooling needs to be
>> capable auditing for multiple IPv6 addresses assigned to a host.  If the
>> tooling can handle multiple IPv6 addresses assigned to a host for
>> Internet-destined traffic, the tooling should be capable of handling
>> multiple IPv6 addresses for enterprise-internal traffic, too?
> 
> This would be why I would lean towards an DHCP-based solution: you
> configure certain subnets/prefixes to have "random" addresses assigned and
> others to have MAC-based ones (or 'static-y' reservations). You'd keep the
> assignment logs around for some period of time.

Do you have the energy to write an Internet Draft towards doing that?  As far as I know, nobody has written down a specific proposal as a straw man.

> If you're doing SLAAC and create an RA option, then to keep track system,
> you'd probably have to configure switches and routers to create a (syslog)
> entry every time a new machine is attached to a port. You need to keep
> track of this anyway for MAC tables, so perhaps some (togglable) code
> could be added to make a note of new and changed entries. You send that to
> a central logging host (which is generally best practice) for auditing
> purposes.

Yes, that is all current best practice and what most equipment already does.  The tooling to analyze that data remains painful (manual grepping the files is error prone and tiresome, but because many tools insist one [or maybe two] addresses per host, grepping is the only robust option for many.  Or they just disable privacy addresses on their network to skirt the problem.)

-d




More information about the ipv6-ops mailing list