On Fri, 04 Mar 2011 15:03:09 -0800 james woodyatt <j...@apple.com> wrote:
> On Mar 4, 2011, at 10:55 AM, RJ Atkinson wrote: > > > > As with audits of financial records, perfection is not required, > > but a certain confidence interval IS desired/required/needed. > > > It seems to me that proper accounting of which hosts are using what IPv6 > addresses is probably better achieved by enhancing routers with the > capability to journal their neighbor discovery cache insertions to a secure > repository for offline review. That combined with authorization logs from > EAPOL ought to provide sufficient confidence for most civilian audits. Am I > missing something? > +1 I think a router (or some other appropriate device) could be enhanced to specifically listen for DAD attempts, insert the preliminary info sourced from the DAD attempt(s) into it's neighbor cache, and then let NUD determine if the address passes DAD. Once that occurs, it could generate e.g. an SNMP trap towards an auditing device. When NUD detects that the device has disappeared, another SNMP trap would occur. Influencing behaviour via e.g. forcing DHCPv6 or trying to switch off privacy addresses is a reasonable method to try to use to address this issue, but ultimately you're trusting the device to behave as specified. You really also need to be trying to detect when devices don't behave. Financial accounting and auditing follows this model - defined accounting procedures, and audits to detect when they haven't been complied with. Regards, Mark. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------