[134818] in North American Network Operators' Group
Re: NIST IPv6 document
daemon@ATHENA.MIT.EDU (Jack Bates)
Tue Jan 11 12:10:51 2011
Date: Tue, 11 Jan 2011 11:10:47 -0600
From: Jack Bates <jbates@brightok.net>
To: Valdis.Kletnieks@vt.edu
In-Reply-To: <15170.1294765032@localhost>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 1/11/2011 10:57 AM, Valdis.Kletnieks@vt.edu wrote:
> The same exact way you currently track down an IP address that some machine has
> started using without bothering to ask your DHCP server for an allocation, of course.
>
But it's no easier. Especially when you hit the customer equipment. NAT
may be gone there, but knowing which computer it is will likely be
impossible (as it won't be standard policy for the customer to grab arp
tables).
> Remember - the privacy extension was so that somebody far away on the Internet
> couldn't easily correlate "all these hits on websites were from the same box".
> It gives a user approximately *zero* protection against their own ISP dumping
> the ARP tables off every switch 5 minutes and keeping the data handy in case
> they have to track a specific MAC or IP address down.
>
I dislike this method, though. It works, but I much prefer to correlate
with radius accounting logs backended on a DHCP server. Sadly, even in
v4, implementations are not always available. Of course, I don't run NAT
at the provider edge, but customer's often do, and while I will be able
to track the customer, knowing which machine will be just as impossible
as it is with NAT.
Jack
