On Thu, 23 Sep 2010, Mark Smith wrote:
If your concerns about end-node trust are as strong as they seem to be, wouldn't you be using 802.1x link layer authentication to identify and track the end-user? Wouldn't that be a much more effective mechanism to track who was attached to the network, when and for what duration?
I don't want to manage user accounts and credentials, also I'm not sure 802.1x in any way handles what the user can do once they're connected.
I'm talking about ETTH, one port in an L2 switch is a household. I know what port goes to each household, so "trust" is not the issue.
In IPv4 I hand out an IP address and I know to what port (option 82) this IP address is at, and the L2 environment makes sure this port can only source traffic from the IP it has been handed for the duration of the lease.
"Dynamic Host Configuration Protocol for IPv6 (DHCPv6) Relay Agent Remote-ID Option" and similar could also be used in that scenario, with the layer 2 device acting as a DHCPv6 relay. With it acting in that role, it would then be able to automatically configure basic and simple IPv6 source address filters and apply them to the link layer port.
I'm sure this is one thing SAVI WG has looked at and is part of their requirements.
-- Mikael Abrahamsson email: swm...@swm.pp.se -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
