host-identifier with IPv6
Chuck Anderson
cra at WPI.EDU
Wed Mar 4 02:32:10 UTC 2009
On Tue, Mar 03, 2009 at 05:45:31PM -0700, Ted Lemon wrote:
> On Mar 3, 2009, at 2:25 PM, Frank Sweetser wrote:
>> Between the DUID only including one MAC address of a multi-homed
>> machine, and the fact that Vista doesn't use the EUI-64 link-local
>> address when communicating with the DHCPv6 server, it seems
>> inevitable to me that there are going to be plenty of instances
>> where the originating MAC address is nowhere to be seen in the
>> packet once it goes through a relay.
>
> Okay, so can you clarify for me please why it's the case that when you
> have a multi-homed machine, it's a problem that it only reports one of
> its mac addresses in the DUID? Why is one not sufficient? Why do you
> need the other? I'm not telling you you don't need it - I'm just
> asking why.
It may be the case that the DUID was generated using and now refers to
a hardware address that is no longer present, or indeed is now present
on a different machine. For example, maybe you installed a netbook
using a USB network interface because the installer doesn't support
the built-in network interface. You had to register that MAC address
to enable the system to get network access or to associate it with
certain boot options from the DHCP server. Later you remove the USB
network interface because the installed OS supports the internal NIC.
Then you move the USB NIC to another machine. Now the netbook's DUID
has embedded in it the MAC of the USB NIC which is now in a different
system.
>> As a long term solution, how would you feel about a proposal to add
>> a new DHCPv6 field containing the link-layer address on which the
>> packet was sent? This could, from the protocol point of view, be
>> sent as a simple informational attribute, with no guarantee of
>> uniqueness, while the DUID semantics remain unchanged. If I've
>> understood your other comments correctly, this means that the DUID
>> could still be used as the primary identifier, but the DHCP server
>> would optionally be able to use the link-layer address, if present,
>> as an input to administratively configured policy decisions about
>> which options and values should be handed back to the client.
>
> I think two things. First, I think that it won't be implemented,
> because it's not required for the protocol to work. Second, I don't
> think the IETF would adopt it, because it's not required for the
> protocol to work, and I don't think you can come up with a convincing
> use case (I've been trying to get someone to give me one, and I haven't
> heard one yet).
I could just as easily apply the same logic to DHCPv6 itself: "DHCPv6
isn't required for IPv6 to work, so why do we have DHCPv6 at all? We
have RA's and SLAAC and static addressing." I would answer that
RA/SLAAC doesn't fit everyone's use case, so we have DHCPv6 as another
option. The same thing applies to DUID vs. link-layer address. Why
can't we have various options to suit the needs of different user
bases?
Can you tell me why these aren't convincing use cases? What would be
your recommendations for these:
1. Only allowing known-hosts to get an IPv6 address from the DHCPv6
server via any subnet and ethernet port of your campus, or perhaps
only certain subnets/pools depending on policy. Where known =
identified as belonging to a user you know the identity of. (Hint:
802.1X doesn't count because its support isn't universal.) It doesn't
have to be a 100% bullet-proof secure identity, just a mostly stable
identifier that maps back to a user via a registration process.
2. Classifying a physical hardware device as belonging to a specific
group for the purposes of automated deployment mechanisms. i.e. read
MAC address off label and assign it as being a "Computer Science PXE
boot" vs. "Electrical Engineering PXE boot". (Hint: recording the
DUID generated by the Operating System doesn't work if there is no OS
yet, or if the OS is cloned or otherwise wiped and reinstalled.)
>> This should let those of us with MAC centric workflows (including
>> many, many EDU networks) migrate to IPv6 with far less pain and
>> suffering, while still leaving the million client per server ISPs
>> able to freely ignore the MAC address.
>
> This is going to sound callous. Please don't take it that way - I'm
> asking this question sincerely. I do not understand why you have a
> "mac-centric workflow." I do not understand why you think not using
> the Mac address is going to be a source of such pain. You call it a
> "showstopper." That's *astonishing* to me.
The MAC address has traditionally been and still is the *only*
globally unique (unique enough in practice) hardware-embedded value
that can be easily obtained and doesn't change throughout the lifetime
of the hardware device. Sure, ethernet hardware is sometimes
replaced, but that is rare and is a visible change where people have
come to expect the need to re-register as a known host.
> To me, the idea of tracking every mac address of every device on a
> network by walking around with a keyboard or a bar-code scanner and
> entering them all into a database is the very definition of "pain and
> suffering." DHCP's whole raison-d'être is to save you, the network
> administrator, the effort of walking around doing a manual process on
> each machine.
Ah, but we have these nice things called "ARP (nee NDP) tables" and
"Forwarding Databases" that keep track of every MAC address's location
on the network. For new, unknown MAC addresses that appear on the
network, a captive portal captures the MAC address, and the user logs
in and registers that hardware device as belonging to that user.
Sure, that doesn't always work (What, no web browser available on that
network-attached oscilloscope? Ok, you have to type the MAC in
manually from another PC in that case.) but it has proven very
workable in the common case.
Could the same automatic solution work with DUIDs instead of MAC
addresses? I suppose, but that would require re-tooling a lot of
deployed infrastructure. For example, changing the workflow to DUID
instead of MAC/link-layer address, we can no longer find where a user
is physically on the network without digging into the DHCP lease
database, cross referencing the DUID there with the IPv6 leases, then
cross referencing those with NDP tables, then cross referencing those
with FDB tables, finally getting to a physical location.
Or perhaps we could abandon using DHCP at all for a host/user
identification system and use something else, like a real NAC system.
I already mentioned that 802.1X isn't workable. Beyond the so-called
"oscilloscope problem" there is the security issue with users storing
possibly valuable credentials on their systems so they don't have to
enter it every time. If you use a different non-valuable credential,
then that's another thing for the user to keep track of (and so much
for single-sign-on). Perhaps we could use a MAC-address based NAC
system (aka MAC security or RADA: RADIUS Authenticated Device Access),
but then we are back to tracking every MAC address in a central
database, except without the possibility of easily capturing this MAC
address in an automated fashion through a captive portal, at least not
without extensive re-tooling.
> So why is it that you have chosen this model - what is the value that it
> adds, and why is it that there is no better solution that involves less
> work?
Part of it is associating a user's activities on the network with the
traffic flows on the network for policy enforcement and
accountability. We have a need to support any kind of Ethernet or
WiFi device a user may bring, and 802.1X support isn't available
everywhere. Ethernet and WiFi have a good enough identifier that is
globally unique (unique enough in the practical sense), is always
there, is easily obtainable from an uninitialized system, can be
obtained in an automated fashion for the most common case, and never
changes except in well known, uncommon situations: the MAC address.
But perhaps less important than "why" is the fact that we and many
others *have* chosen this model already for existing IPv4 networks and
this has worked for them for many years. Having to re-tool this
infrastructure to support IPv6 is a large cost and a barrier to IPv6
adoption, whereas providing an option for existing networks to choose
to continue to use these mechanisms that are compatible with their
IPv4 infrastructure would aid in IPv6 adoption. It's the same reason
the IETF has done a lot of work on IPv6 tunneling and transition
mechanisms and IPv4/IPv6 co-existence.
More information about the dhcp-users
mailing list