[138049] in North American Network Operators' Group
Re: Mac OS X 10.7, still no DHCPv6
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Feb 27 18:09:09 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTinepYvJ=n6407s5CEPrmvQFy8zw2g5qRVZOHDWN@mail.gmail.com>
Date: Sun, 27 Feb 2011 15:04:55 -0800
To: Richard Barnes <richard.barnes@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
But the ND messages don't tell you anything other than the Mac
address about which host it actually is. In theory, at least, snooping
the DHCP messages might include a hostname or some other
useful identifier.
Owen
On Feb 27, 2011, at 11:53 AM, Richard Barnes wrote:
> In fairness, said device can do the same sort of inspection of SLAAC
> traffic. It just looks at neighbor discovery messages instead of DHCP
> messages.
>=20
> <http://tools.ietf.org/html/draft-ietf-savi-fcfs>
>=20
>=20
> On Sun, Feb 27, 2011 at 2:17 PM, Leigh Porter
> <leigh.porter@ukbroadband.com> wrote:
>>=20
>>=20
>> On 27 Feb 2011, at 19:07, Antonio Querubin wrote:
>>=20
>>> On Sun, 27 Feb 2011, Mikael Abrahamsson wrote:
>>>=20
>>>> On Sun, 27 Feb 2011, Leigh Porter wrote:
>>>>=20
>>>>> Does anybody have anything neat to keep logs of what host gets =
what ipv6 address in an SLAAC environment?
>>>>=20
>>>> You'd have to correlate ND information in the router to some kind =
of record of who has what MAC address at any given time. With SLAAC the =
host doesn't "get" an IPv6 address, it "takes" one.
>>>>=20
>>>>> This is often required for legislation compliance. DHCP does this =
well.
>>>>=20
>>>> Which is one of the reasons why some of us want DHCPv6 support in =
hosts.
>>>=20
>>> So how does DHCP prevent a host from just taking or hijacking an IP =
address?
>>>=20
>>> Antonio Querubin
>>> e-mail/xmpp: tony@lava.net
>>>=20
>>=20
>> You can have devices that peek at the DHCP messages and then open =
filters so that you at least know that any host that pops up on the =
network has used DHCP to obtain an IP address.
>>=20
>> Now you cannot usually prevent somebody from later hijacking that IP =
address using a fake MAC unless you do something else as well but at =
least you have something of a statefull relationship between an host and =
the IP address it uses.
>>=20
>>=20
>> --
>> Leigh Porter
>>=20
