DHCPv6 and other layer 2 tools
Randall C Grimshaw
rgrimsha at syr.edu
Sat Nov 19 23:48:45 UTC 2011
I didn't want to hijack the other thread or even get involved in the routing arguement, but I did want to expand the question of what is a reasonable solution. It is marginally relevant only because there seems to be an expection by some that DHCP should be the solution... but I dont want to 'presume' on that.
Reviewing the problem: There is the observation that: we network admins are going to be caught in the crossfire between privacy and and responsibility. So far the legislators have been putting more of the burden on us to, ahem, solve the internets responsibility problems... lacking super human powers, we need tools. Specifically, accountability tools that scale.
The most obvious candidate, layer 1 -802.1x directed access control and private vlans for configuration assistance, may not reach into all cpe and most who have approached edge access control have settled on MACauth anyway... not ready for IPv6.
Agrivating the problem is that IPv6 places the burden of security with the higher application or nested ssl tunnel layers and basically continues to leave layer 2 undefended.
What is being discussed as a layer 2 solution? Is authenticated DHCP leveraging certificates and supplicant authentication a possibility? Or is it more likely the routers will support such security in assigning prefix via RAdv ... or do we adapt QOS to read into the onion skin of headers for user supplied credentials... Quarantining packets without the needed authentication?
Thank you in advance for your insights.
Randall Grimshaw rgrimsha at syr.edu
________________________________________
More information about the dhcp-users
mailing list