host-identifier with IPv6
Frank Sweetser
fs at WPI.EDU
Tue Mar 3 20:51:46 UTC 2009
David Farmer wrote:
> It looks like Vista by default uses a random address even for
> link local. GRRR! You can turn it off that feature, but this
> needs to work no matter how a host is configured.
>
> Anyone know if it is more than just Vista that uses a random
> link local address?
I can confirm that the behaviour continues in Windows 7 (at least the current
beta).
Fedora 10 and XP SP3 appear to default to EUI-64 addresses.
> Anyone know if you can do a group policy or something of the
> kind to turn-off the random link local address? Maybe you can
> use IPv4 connectivity to get IPv6 configured correctly.
I'm pretty sure there's a netsh command to do this. However, that would
exclude any Vista machines with a default configuration, which - at least on
the student side - is going to be the vast majority of what comes through the
door.
> If that works you could refuse to give out an IPv6 address from
> the DHCPv6 server unless you have a EUI-64 based link local
> address, with "FF:FE" is not in the middle two nibbles.
>
> Another option from the DHCPv6 server side; Maybe you look
> at the link local address first. If you can't get the MAC address
> there, then try to decode the DUID for the MAC address. I
> know it violates the RFC where it says the DUID is suppose to
> be opaque, but I'm not sure there is much of a choice here. If
> both fail, then maybe don't give out an IPv6 address.
The only problem with decoding the DUID is that you're never sure if you're
decoding the right DUID. It's quite possible that you're picking apart the
DUID for a request that came from the built in motherboard adaptor, but the
MAC address you pull out came from a USB dongle that's now in some other
machine. In the common case of a laptop with a wired and a wireless, on
average you're going to be wrong 50% of the time.
> I think we need these kind of options, I don't think any of this
> should be the default behavior. But a MAC address based
> option is absolutely necessary in the short run for most
> campuses.
Given that:
- there's no field designed to carry the MAC address
- the DUID will usually carry a MAC address, but you have no idea if it's the
one you're looking for
- the most common IPv6 capable client OS for the next couple of years doesn't
use EUI-64 addresses by default
it looks the only way to get everyone properly online via IPv6 is to have the
relay agent and/or server dig down and drag out the MAC address from the raw
packet.
The alternative is to tell Vista users (ie, the vast majority on most
campuses) that they can't get IPv6 connectivity until they run a magic command
or program that does it for them. Given that most users will have only a dim
idea at best of IPv6 vs IPv4, and won't see any benefit at all in using IPv6,
this will limit IPv6 penetration to IT managed machines.
So David (Hankins, that is =), given all that, how do you feel about having
the server/relay agent pull the MAC address off of the link layer headers?
(if so, it's probably time to start a new thread on that topic =)
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
More information about the dhcp-users
mailing list