Re: IPv6 and DHCP

[John Hoffoss <John.Hoffoss () SO MNSCU EDU>]

One interesting proposal coming out of the IPv6 presentation by Randy Marchany and Phillip Deneault at EDUCAUSE 
Security last week was the possible idea that you statically assign addresses using DHCP, even guests and devices you 
may only ever see once. I'm not deep enough on any of the tooling to know if the capability exists today, but if we 
have enough space in IPv6 to assign addresses to every cell (using a rough 10 trillion cell estimate) in every human on 
earth, we can probably afford to assign static addresses to every MAC we ever see. Of course, we hopefully don't bed 
the MAC into that address to make addressing privacy concerns just a little easier. 


-jth

On May 10, 2012, at 14:43, "John Ladwig" <John.Ladwig () SO MNSCU EDU> wrote:

> I think even within the IETF there's no longer a strong assumption that IPv6 will be "self-managing" in all, or even 
> most, networks.
>
> Since we're in a security forum, I think it's pretty easy for us to realize that "self-managing networks" would need 
> an awful lot of bolt-around management/monitoring tricks to keep up with the normal sorts of incident response that 
> we deal with daily in IPv4 networks.
>
> My personal expectation is that the IPv6 internet will end up much like the current IPv4 Internet - a mix of static 
> addressing for servers and network devices run by organizations, and DHCP in client networks.  Future 
> Internet-of-devices scenarios may result in good use cases for SLAAC, but I can't personally fathom how I'd manage 
> response on a big campus network of SLAAC+Privacy mode addressing on end-user devices.  
>
> I'd also be interested in experience reports; our IPv6 work hasn't quite gotten to DHCPv6 testing.
>
>    -jml
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Martin 
> Manjak
> Sent: Thursday, May 10, 2012 2:29 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] IPv6 and DHCP
>
> If you're running IPv6, and you've tested, or deployed, DHCP tools, we are interested in what you may have discovered.
>
> Our staff were using the following as a starting place for looking into this issue: 
> https://en.wikipedia.org/wiki/IP_address_management
>
> Granted, we could have a debate about whether it makes sense to manage an addressing protocol designed to be 
> self-administering. But I think we have to first determine whether or not it's feasible.
>
> So any experience with the products on the wikipedia page, or anything else, would be greatly appreciated.
>
> Marty
>
>
>
> Martin Manjak
> CISSP, GIAC GSEC-G
> Information Security Officer
> University at Albany
> MSC 209 518/437-3813
>
> The University at Albany will never ask you to reveal your password.
> Please ignore all such requests.