[138029] in North American Network Operators' Group
Re: Mac OS X 10.7, still no DHCPv6
daemon@ATHENA.MIT.EDU (Richard Barnes)
Sun Feb 27 14:53:37 2011
In-Reply-To: <F2AF8BBB-618B-44D6-AD20-E2475EED6E98@ukbroadband.com>
Date: Sun, 27 Feb 2011 14:53:23 -0500
From: Richard Barnes <richard.barnes@gmail.com>
To: Leigh Porter <leigh.porter@ukbroadband.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In fairness, said device can do the same sort of inspection of SLAAC
traffic. It just looks at neighbor discovery messages instead of DHCP
messages.
<http://tools.ietf.org/html/draft-ietf-savi-fcfs>
On Sun, Feb 27, 2011 at 2:17 PM, Leigh Porter
<leigh.porter@ukbroadband.com> wrote:
>
>
> On 27 Feb 2011, at 19:07, Antonio Querubin wrote:
>
>> On Sun, 27 Feb 2011, Mikael Abrahamsson wrote:
>>
>>> On Sun, 27 Feb 2011, Leigh Porter wrote:
>>>
>>>> Does anybody have anything neat to keep logs of what host gets what ip=
v6 address in an SLAAC environment?
>>>
>>> You'd have to correlate ND information in the router to some kind of re=
cord of who has what MAC address at any given time. With SLAAC the host doe=
sn't "get" an IPv6 address, it "takes" one.
>>>
>>>> This is often required for legislation compliance. DHCP does this well=
.
>>>
>>> Which is one of the reasons why some of us want DHCPv6 support in hosts=
.
>>
>> So how does DHCP prevent a host from just taking or hijacking an IP addr=
ess?
>>
>> Antonio Querubin
>> e-mail/xmpp: =A0tony@lava.net
>>
>
> You can have devices that peek at the DHCP messages and then open filters=
so that you at least know that any host that pops up on the network has us=
ed DHCP to obtain an IP address.
>
> Now you cannot usually prevent somebody from later hijacking that IP addr=
ess using a fake MAC unless you do something else as well but at least you =
have something of a statefull relationship between an host and the IP addre=
ss it uses.
>
>
> --
> Leigh Porter
>
