Content os deny unknown-clients in DHCPV6

Simon Hobson dhcp1 at thehobsons.co.uk
Tue Jul 3 07:06:10 UTC 2012 

dqq wrote:

>I know  the duid,but,when we assign a fixed address,the mac works.
>and,in the man file in the dhcp-4.2.3-PI ,there are some 
>declarations as follows:
>
>       "please be aware that only the  dhcp-client-identifier  option  and  the
>        hardware  address can be used to match a host declaration, or the host-
>        identifier option parameter for DHCPv6 servers.   For  example,  it  is
>        not  possible to match a host declaration to a host-name option.   This
>        is because the host-name option cannot be guaranteed to be  unique  for
>        any  given  client,  whereas both the hardware address and dhcp-client-
>        identifier option are at least theoretically guaranteed to be unique to
>        a given client."
>
>when use duid,the clients may default sent a duid-llt duid , the 
>timestamp can't be controled when I use it to delcare a 
>host,especially that there are lots of clients in my network. Maybe 
>I can use duid-ll in my conf file,but,if the client send a request 
>message with a default duid-llt duid,they can't match each other,do 
>they?

Bear in mind that in IPv6 there is no MAC address field or option in 
the client request packets. The *ONLY* field available is the DUID. 
Note carefully what it says in the clip above ... while not as well 
laid out as perhaps it could be, it says that for IPv4 the 
dhcp-client-identifier option and the hardware address can be used, 
and for IPv6 the host-identifier option can be used (I'm not that 
familiar with IPv6 DHCP, I assume host-identifier is the option name 
used by the ISC code for the DUID).

This has been endlessly "discussed" before, but the facts don't 
change - you cannot use hardware address to identify IPv6 clients. 
There is a proposal going through the works at the moment to define a 
hardware address option, but assuming that goes through, it would 
take some time before all the various clients got updated to use it.

Even if clients use DUID-LLT, or even DUID-LL, then the RFCs 
expressly forbid "looking inside" the option (eg to extract MAC 
address which may not be for the same interface anyway) - you are 
only allowed to treat the value as an opaque string which you can 
match with another string.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list