[118299] in North American Network Operators' Group
Re: IPv6 Deployment for the LAN
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Sun Oct 18 16:29:40 2009
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <7a6830090910171755q563d081fs7324a2f7d875bc9a@mail.gmail.com>
Date: Sun, 18 Oct 2009 16:28:42 -0400
To: Ray Soucy <rps@maine.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 17, 2009, at 8:55 PM, Ray Soucy wrote:
> Looking for general feedback on IPv6 deployment to the edge.
>
> As it turns out delivering IPv6 to the edge in an academic setting has
> been a challenge. Common wisdom says to rely on SLAAC for IPv6
> addressing, and in a perfect world it would make sense.
>
> Given that historically we have relied on DHCP for a means of NAC and
> host registration, like many academic institutions, the idea of
> sweeping changes to accommodate IPv6 was just not going to happen in
> the near future.
...
My question is this: what are your goals? What are you trying to
achieve? Force all authorized machines to register? If so, why?
We'll leave out for now whether or not there's even much point to
that. My university -- and I'm just a user of campus computing
facilities; I don't run them -- has concluded that there's no
particular benefit to requiring registration or permission; it's one
more server complex to run, one more database to maintain, and one
more thing to break, and the benefits don't seem to be worth the
cost. And given that we've had incidents of IP and MAC address
spoofing, where it took the switch logs to figure out what was going
on, I'm very far from convinced that registration is of any benefit
anyway. In other words -- yes, I agree with the campus policy -- but
that's not the question I'm asking.
I ask because there may be other ways to achieve your actual goal, but
without knowing that it's hard to make recommendations. The most
obvious answer is accountability, but physical port number may be a
better approach there, depending on how the campus network is run.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
