Nada? On Thu, Nov 10, 2016 at 8:23 AM, Tim DeNike <tim.den...@mcc.edu> wrote:
> Is there any progress being made towards functional IPv6 IP tracking in > PF? I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer > takes the udp_reflector data I was sending from my DHCPv6 servers. Its > like it just ignores it. ( I know it only ever looked for the > fingerprint/vendor/enterprise info and didn't update). > > #1. Forwarding DHCPv6 using udp_reflector > #2. Tracking IA-NA address per host > #3. Making use of Framed-IPv6-Address RADIUS attribute > #4. Performing firewall SSO updates > > Less Important (At least to me): > #5. Tracking IA-PD subnet per host (as a separate field). > #6. Figure out a way to forward ND packets to PF for sites that use SLAAC > (Maybe snmp queries to routers or sflow data?) > > In the end, I think we would probably need to expand the pf.iplog table to > be more like (Or have a separate table for ipv6 addresses? I don't know > what is going to be most scalable/efficient): > > mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd, > start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2, > start_time6na2, end_time6na2 > > > Reasoning for so many fields: > > In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6 > addresses. > > 1 - SLAAC address > 2 - SLAAC temporary (Privacy extensions address) > 3 - DHCP6 address > 4 - DHCP6 PD Prefix > > Now this is an improperly configured network, but there could be a legit > use-case for it.. You should really only use SLAAC or DHCP6, not both. > > A Windows client will prefer/use the DHCP6 address, but the SLAAC and > SLAACtemp address are both valid and usable. > > A Mac client will prefer/use the SLAAC temp address, but the SLAAC and > DHCP6 address are still valid and usable. > > Android devices dont support DHCP6 (Because google is really stupid_ > > IOS Devices behave like OSX devices. > > Most home routers will use DHCP6 address for their own communication, > some will get a SLAAC address, some won't. Most don't even need the NA > address and only require a PD address. > > > > > >
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
