DHCPv6 and MAC Address inclusion
Ted Lemon
Ted.Lemon at nominum.com
Wed Jan 25 20:50:21 UTC 2012
On Jan 25, 2012, at 8:51 AM, perl-list wrote:
Letting the client make up bits of information that are to be used to identify them certainly doesn't sound like a good foundation for good security practice.
What does the client identifier have to do with security? It's not authenticated in any way. If you're using it for security, you don't have any security.
BTW: people on the NANOG list are advocating splitting the mac from the LL or LLT identifier as mentioned above for subscriber identification as they, being operational, recognize the importance of identifying that the DHCPv6 and DHCPv4 client are one in the same. We have pointed out to them that this will not work in all cases and there is much renewed head scratching.
This isn't on the NANOG agenda for San Diego. I'm surprised anyone's suggesting this—as you say, there's no guarantee that it will work. Even if the DUID contains a MAC address, it's not necessarily the same MAC address that the client is sending.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20120125/fd3044ba/attachment.html>
More information about the dhcp-users
mailing list