Content os deny unknown-clients in DHCPV6
Simon Hobson
dhcp1 at thehobsons.co.uk
Tue Jul 3 07:06:10 UTC 2012
dqq wrote:
>I know the duid,but,when we assign a fixed address,the mac works.
>and,in the man file in the dhcp-4.2.3-PI ,there are some
>declarations as follows:
>
> "please be aware that only the dhcp-client-identifier option and the
> hardware address can be used to match a host declaration, or the host-
> identifier option parameter for DHCPv6 servers. For example, it is
> not possible to match a host declaration to a host-name option. This
> is because the host-name option cannot be guaranteed to be unique for
> any given client, whereas both the hardware address and dhcp-client-
> identifier option are at least theoretically guaranteed to be unique to
> a given client."
>
>when use duid,the clients may default sent a duid-llt duid , the
>timestamp can't be controled when I use it to delcare a
>host,especially that there are lots of clients in my network. Maybe
>I can use duid-ll in my conf file,but,if the client send a request
>message with a default duid-llt duid,they can't match each other,do
>they?
Bear in mind that in IPv6 there is no MAC address field or option in
the client request packets. The *ONLY* field available is the DUID.
Note carefully what it says in the clip above ... while not as well
laid out as perhaps it could be, it says that for IPv4 the
dhcp-client-identifier option and the hardware address can be used,
and for IPv6 the host-identifier option can be used (I'm not that
familiar with IPv6 DHCP, I assume host-identifier is the option name
used by the ISC code for the DUID).
This has been endlessly "discussed" before, but the facts don't
change - you cannot use hardware address to identify IPv6 clients.
There is a proposal going through the works at the moment to define a
hardware address option, but assuming that goes through, it would
take some time before all the various clients got updated to use it.
Even if clients use DUID-LLT, or even DUID-LL, then the RFCs
expressly forbid "looking inside" the option (eg to extract MAC
address which may not be for the same interface anyway) - you are
only allowed to treat the value as an opaque string which you can
match with another string.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
More information about the dhcp-users
mailing list