Help with DHCPv6 client-identifiers

Bjørn Mork bjorn at mork.no
Fri Nov 18 18:49:04 UTC 2011


Simon Hobson <dhcp1 at thehobsons.co.uk> writes:

> Which is fine if all devices are connected in such a manner that they
> are each connected as the only device on the managed switch port. If
> that is the case for you then great, it certainly isn't always -
> unmanaged switches, virtual switches, and broadcast media (eg cable
> systems) are all cases in point.

I fail to see how you can expect to apply different policies to clients
sharing the same media, unless you authenticate the clients somehow.

> And, the switch port changes a darn sight more frequently than the MAC address.

In some situations, yes.  But then you would want to use 802.1x.

> So your argument is that instead of using something that is
> (nominally) unique and (largely) invariant, you want to use something
> that is in fact fairly variable in most networks.

My argument is the identifier you are choosing is under the client's
control, which makes it unsuitable as a basis for any policy decision. 

> So lets get this clear.
> Instead of a setup where the cable modem has an identifier which needs
> no configuration beyond the manufacturers giving it a unique ID (and
> thereafter can be fully configured via DHCP), you propose a system
> where the cable operator or their customers need to configure each
> device before it is possible to configure it by DHCP.

Yes, if you really need to identify the client, and you have chosen to
build a network where the clients share a broadcast network, then I
don't see any other option.

You may of course choose to trust whatever the client tells you, but you
may as well use the CLIENT_FQDN option or any other client configurable
option.  I still don't understand what you gain by such pseudo-
authentication

> Like I said earlier, this discussion has been flogged to death
> before. The same arguments came out and were refuted before. I don't
> expect this one to be any more productive than the last.

True :-)


Bjørn



More information about the dhcp-users mailing list