Educause Security Discussion mailing list archives
Re: IPv6 and DHCP
From: John Hoffoss <John.Hoffoss () SO MNSCU EDU>
Date: Wed, 23 May 2012 12:48:44 +0000
One interesting proposal coming out of the IPv6 presentation by Randy Marchany and Phillip Deneault at EDUCAUSE Security last week was the possible idea that you statically assign addresses using DHCP, even guests and devices you may only ever see once. I'm not deep enough on any of the tooling to know if the capability exists today, but if we have enough space in IPv6 to assign addresses to every cell (using a rough 10 trillion cell estimate) in every human on earth, we can probably afford to assign static addresses to every MAC we ever see. Of course, we hopefully don't bed the MAC into that address to make addressing privacy concerns just a little easier. -jth On May 10, 2012, at 14:43, "John Ladwig" <John.Ladwig () SO MNSCU EDU> wrote:
I think even within the IETF there's no longer a strong assumption that IPv6 will be "self-managing" in all, or even most, networks. Since we're in a security forum, I think it's pretty easy for us to realize that "self-managing networks" would need an awful lot of bolt-around management/monitoring tricks to keep up with the normal sorts of incident response that we deal with daily in IPv4 networks. My personal expectation is that the IPv6 internet will end up much like the current IPv4 Internet - a mix of static addressing for servers and network devices run by organizations, and DHCP in client networks. Future Internet-of-devices scenarios may result in good use cases for SLAAC, but I can't personally fathom how I'd manage response on a big campus network of SLAAC+Privacy mode addressing on end-user devices. I'd also be interested in experience reports; our IPv6 work hasn't quite gotten to DHCPv6 testing. -jml -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Martin Manjak Sent: Thursday, May 10, 2012 2:29 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] IPv6 and DHCP If you're running IPv6, and you've tested, or deployed, DHCP tools, we are interested in what you may have discovered. Our staff were using the following as a starting place for looking into this issue: https://en.wikipedia.org/wiki/IP_address_management Granted, we could have a debate about whether it makes sense to manage an addressing protocol designed to be self-administering. But I think we have to first determine whether or not it's feasible. So any experience with the products on the wikipedia page, or anything else, would be greatly appreciated. Marty Martin Manjak CISSP, GIAC GSEC-G Information Security Officer University at Albany MSC 209 518/437-3813 The University at Albany will never ask you to reveal your password. Please ignore all such requests.
Current thread:
- IPv6 and DHCP Martin Manjak (May 10)
- Re: IPv6 and DHCP John Ladwig (May 10)
- Re: IPv6 and DHCP Kern, Paul (May 10)
- Re: IPv6 and DHCP John Hoffoss (May 23)
- Re: IPv6 and DHCP Phillip Deneault (May 23)
- Compromised Accounts Procedures Robert Meyers (May 23)
- Re: Compromised Accounts Procedures Tonkin, Derek K. (May 23)
- Re: Compromised Accounts Procedures Aaron Kirby (May 23)
- Re: Compromised Accounts Procedures Jacobson, Dick (May 23)
- Re: Compromised Accounts Procedures Aaron Kirby (May 23)
- Re: Compromised Accounts Procedures Robert Meyers (May 23)
- Re: Compromised Accounts Procedures Tonkin, Derek K. (May 23)
- Re: Compromised Accounts Procedures Rich Graves (May 23)
- Re: Compromised Accounts Procedures Bidwell, Lesley (May 23)
- Re: IPv6 and DHCP John Ladwig (May 10)