PTR records for IPv6
Tim Chown
tjc at ecs.soton.ac.uk
Fri Sep 6 12:37:17 CEST 2013
On 5 Sep 2013, at 20:52, "Dale W. Carder" <dwcarder at wisc.edu> wrote:
> Thus spake Dan Wing (dwing at cisco.com) on Thu, Sep 05, 2013 at 09:49:12AM -0700:
>>
>>> If you're doing SLAAC and create an RA option, then to keep track system,
>>> you'd probably have to configure switches and routers to create a (syslog)
>>> entry every time a new machine is attached to a port. You need to keep
>>> track of this anyway for MAC tables, so perhaps some (togglable) code
>>> could be added to make a note of new and changed entries. You send that to
>>> a central logging host (which is generally best practice) for auditing
>>> purposes.
>>
>> Yes, that is all current best practice and what most equipment already does. The tooling to analyze that data remains painful (manual grepping the files is error prone and tiresome, but because many tools insist one [or maybe two] addresses per host, grepping is the only robust option for many. Or they just disable privacy addresses on their network to skirt the problem.)
>
> We just log to an sql db. If that row already exists just update the
> timestamp on the entry, otherwise create a new row. This is a lot more
> flexible than grep.
>
> Many switches can send mac address change notification traps. As far as
> I know there is not an equivalent for the v6 neighbor table, so we must
> resort to polling.
There are many open source network management/monitoring systems that do such polling, and it works fine for tracking IPv6 privacy addresses (or any other address a host chooses to use). We use NAV, which was (and is) developed by UNINETT, the Norwegian NREN.
It was such polling that highlighted the issue with certain Apple devices that caused significant problems for Cisco's FHS implementation.
In a university environment, you won't have control of the vast majority of devices which will be a myriad of BYODs, most of which have IPv6 on by default, and privacy addresses on by default. Our view was to accept that and instead monitor the network devices.
Tim
More information about the ipv6-ops
mailing list