gogoNET

IPv6 products, community and services

On an IPv4 network, I am used to being able to track devices by ip address (copyright violation, spam complaints etc.). Static addresses are in the DNS and DHCP config, while dynamically assigned addresses e.g. visitor's laptops appear in DHCP logs or access controller logs.

The Freenet6 tunnel in router mode spawns radvd and devices use IPv6 neighbor discovery to auto-assign addresses. On my Fedora Core 9 system I cannot see anything logged by radvd,
although the manpage says the default is to log to syslog. If I try setting debug level 4, I still
don't see any log of what ip address is assigned to what MAC address.
(Windows Vista assigns radically different IPV6 addresses to the same NIC on the same PC)

So I was wondering:
- is there a way to log assigned addresses from radvd ?
- is DHCP6 a preferred way to go ?
- is there a reliable way to find what's on the network ?

Views: 899

Reply to This

Replies to This Discussion

This not an easy thing. Using DHCP would give you the same management possibilities as in IPv4 but the support for DHCPv6 is still a bit limited and you might end up with devices that don't work. There is nothing to log for radvd since it only provides information about the network but doesn't know anything about the clients. What you could do in that case is log duplicate address detection traffic as the client will try to verify that the address it picked is available.
If you have a managed environment you can setup the clients to use "normal" SLAC addresses instead of privacy addresses.
Can you be more specific ? I'm just finding my way here.
I presume that I could manually assign static addresses, but few people do that anymore.
Our upstream provider requires that we be able to identify devices on the network ... rfc3041 seems to
be deliberately trying to make that impossible. (from network-scripts/ifup-ipv6)
To clarify his last line; There's an option in some OS's that generates a "private" ipv6 address that changes periodically; the idea is/was to make it more like dial up so users might have some sort of anonymity. This makes tracking the client very hard...in Windows, you could do a "netsh int ipv6 privacy disabled" to disable private addresses
I'm also trying to figure this out.

I am working on getting a DHCPv6 server up on FreeBSD using ISC DHCP 4.1.1 but there isn't a working FreeBSD port available for this new version which has better IPv6 support.

I would imagine that DHCPv6 would be the easiest solution for most people migrating from DHCP on IPv4 since it's closer to how things were done in IPv4.
I just read https://fedorahosted.org/dhcpv6/ which says that "dhcpv6" is obsoleted by ISC dhcp version 4.1.0.
I just built 4.1.1 on Fedora Core - seems to work with my old IPv4 dhcpd.conf, at any rate. Not yet tried IPv6.

I guess we shouldn't be referring to DHCPv6 but rather to "recent DHCP with IPv6 support" or something. Confusing...
- rever mind; just me getting muddled between dhcpv6 the program and DHCPv6 the protocol. RFC 4862 etc refer to DHCPv6
I now have "dhcpd -6" running but not a working setup. Docs suggest running DHCPv6 for DNS assignment even if autoconfiguration is used for address assignment.
If it is a linux box acting as gateway:

ping6 ff02::1%eth# where eth# is the LAN facing interface. You'll see the other IPv6 enabled machines on the same layer2 segment respond with their link-local addresses. So now you know the last 64bits to add onto the first 64 bits that RADVD is supplying. Any reply tagged as DUP is another machine, not tagged is your machine.

so:

64 bytes from fe80::219:d1ff:fe22:1823: icmp_seq=4 ttl=64 time=0.417 ms (DUP!)

If I advertise 2001:db8:1:2::/64, the IPv6 address of that machine is 2001:db8:1:2:219:d1ff:fe22:1823
You won't, however, learn the Windows Private IPs assigned. You'd need to dump traffic, or get flows, or other linux utilities to track IPv6 address to MAC. On hardware routers like Foundry/Brocade it is relatively simple with commands like:

sh ipv6 nei ?
X:X::X:X/M IPv6 Prefix
X:X::X:X IPv6 address
ethernet Ethernet interface
ve Virtual Ethernet interface
| Output modifiers
Jeroen Massar from sixxs tells me about rdpmon as a substitute for arpwatch

But on a segmented network with VLANs it is necessary to run these tools on every VLAN, whereas in IPv4 we have a single reverse DNS (well, OK, we have failover and slaves, and DHCP relay, but basically anyone can easily look up a numeric address and get a name which can be used in access control etc.)

It's all very well for Windows to have privacy (if not disabled) or Linux (if enabled), but as a network administrator I get users asking why their mail doesn't work. They have no idea how to find their ip address but I can look it up easily with our DHCP/static-address scheme.

I also have access controls, firewall rules, spam DNSBL filters all based on ip address or netblock.
If that all doesn't work reliably in IPv6, and I have to change over to certificate-based access control everywhere, that's probably more work than switching addressing to IPv6

RSS

Sponsor

special report

Training

gogoTRAINING

IPv6 Product Information

Fill out my online form.

© 2014   Created by gogo6.

Badges  |  Report an Issue  |  Terms of Service