On Wed, Sep 22, 2010 at 9:28 AM, Karl Auer <ka...@biplane.com.au> wrote: > On Wed, 2010-09-22 at 07:01 -0400, Randy Bush wrote: >> >> also, do not underestimate the co$t of the of operational change to move >> >> from dhcp4 to nd/ra. folk who want to keep dns and ip audit may have to >> >> go static without dhcp6. another non-trivial barrier to ipv6 deployment. >> > Randy, could you elaborate please? Not sure I see what you are getting >> > at. Do you mean that if people do not use DHCPv6, they will have a >> > problem tracking which IP addresses are in use? >> >> for audit purposes, one wants to know which host did the dirty on >> wednesday at 17:23. most large enterprises base firewall rules on ip >> address. blah blah blah. > > Hm. Any host can take an address in its subnet - i.e. bypass DHCP. This > is as true of IPv6 as it is of IPv4. Any host that does SLAAC is
Sure... but 99.99% of hosts (in the scenario randy brings up) will just use whatever info the host gets for config, they won't go off inventing things on their own. > "bypassing" DHCPv6. So something has to watch the DHCP traffic and > dynamically permit addresses that have been allocated via DHCP. Is it oh: "If your address isn't in the firewall, you can't pass through" > that step that concerns you? I.e., if hosts are doing SLAAC their DHCP > activity doesn't exist, so instead hosts will have to be assigned static > addresses and permitted in firewalls etc statically? yea... so in the ipv4 world of enterprise networking lots of times the host's have "static addresses" mapped to them via DHCP. This way some set of privileges can be assigned (or just: "your machine is called bob, ping bob, see, your machine is working" as an example) via firewall/etc rules (or hosts.allow or ...). Or, control over what/who gets access to the LAN. Permitting random things to connect to your LAN (easily) and dhcp an address from an address pool is very often a bad plan. I can see that in the ipv6 world I'd want to do the same sort of thing, assign addresses (and retain the capability to shift dns, tftp, wins, etc) around from a central control point. I'd also like to not have random things plugged into my LAN get globally reachable addresses (and/or access to my internal LAN's secrets, etc). -Chris -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
