[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
tpoder at cis.vutbr.cz
Wed Sep 5 21:59:46 CEST 2012
only a few comments
On 9/4/12 11:41 PM, Tim Chown wrote:
> On 4 Sep 2012, at 22:02, Tomas Podermanski <tpoder at cis.vutbr.cz> wrote:
>> Not at all. 802.1X is the layer 2 authentication. That says nothing
>> about IP address used for communication. You have to deploy some
>> mechanism that allows somehow tie L2 information obtained from 802.1X
>> authentication process (user, MAC address) with a L3 IP address. What is
>> pretty difficult since DHCPv6 don't have MAC in the requests and it is
>> impossible to tie 802.1x authentication requests with DUIDs from DHCPv6.
>> As such some extra system that gathers neighbor cache on the router have
>> to be deployed. The absence of MAC address in DHCPv6 is really tragic
> There is this, which is about adding the link layer address in relays. So this gives you what you want if you're in an environment where all DCHPv6 requests are relayed.
I know about that. Another very similar draft
However I haven't found any implementation of this yet. Neither hw
devices nor sw packages like ISC DHCP supports it. So it isn't still
option for today.
>> Some more about that is on
>> http://ipv6.vutbr.cz/article/flow-based-monitoring-of-ipv6/ (slide 6)
>> and more detailed description in the article
> We harvest the necessary information from switch/router devices. There's a few open source packages that do this.
What specific packages do you use? We currently use MetNAV
(http://metanav.uninett.no/) for this purpose, but there are some
disadvantages here. Similar project netdisco (http://www.netdisco.org/)
have some supports for gathering neighbor cache from local network, but
not from MIBs.
More information about the Ipv6hackers