Re: [PacketFence-users] IPv6 progress?

[Derek Wuelfrath]

Hello Tim,

I am bringing this back up with a few questions !

> #2.  Tracking IA-NA address per host

What do you mean ?

> #3.  Making use of Framed-IPv6-Address RADIUS attribute

To update node ip records ?

> In the end, I think we would probably need to expand the pf.iplog table to be 
> more like (Or have a separate table for ipv6 addresses?  I don't know what is 
> going to be most scalable/efficient):
> 
> mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd, 
> start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2, 
> start_time6na2, end_time6na2

In this scenario, I assume:
- ip6 would be the DHCP6 address;
- ip6pd would be the DHCP6 PD prefix;
- ip6na1 would be the SLAAC address;
- ip6na2 would be the SLAAC temporary (Privacy extension address)

Am I assuming right ?

Also, can you elaborate a bit more on the “PD” just to make sure we are on the 
same page.

Cheers!
— dw.

--
Derek Wuelfrath
de...@inverse.ca 
Inverse inc. :: Leaders behind SOGo (www.sogo.nu ) and 
PacketFence (www.packetfence.org )

> On Nov 10, 2016, at 08:23, Tim DeNike  wrote:
> 
> Is there any progress being made towards functional IPv6 IP tracking in PF?  
> I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer takes 
> the udp_reflector data I was sending from my DHCPv6 servers.  Its like it 
> just ignores it.  ( I know it only ever looked for the 
> fingerprint/vendor/enterprise info and didn't update).
> 
> #1.  Forwarding DHCPv6 using udp_reflector
> #2.  Tracking IA-NA address per host
> #3.  Making use of Framed-IPv6-Address RADIUS attribute
> #4.  Performing firewall SSO updates
> 
> Less Important (At least to me):
> #5.  Tracking IA-PD subnet per host (as a separate field).
> #6.  Figure out a way to forward ND packets to PF for sites that use SLAAC 
> (Maybe snmp queries to routers or sflow data?)
> 
> In the end, I think we would probably need to expand the pf.iplog table to be 
> more like (Or have a separate table for ipv6 addresses?  I don't know what is 
> going to be most scalable/efficient):
> 
> mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd, 
> start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2, 
> start_time6na2, end_time6na2
> 
> 
> Reasoning for so many fields:
> 
> In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6 
> addresses.
> 
> 1 - SLAAC address
> 2 - SLAAC temporary (Privacy extensions address)
> 3 - DHCP6 address
> 4 - DHCP6 PD Prefix
> 
> Now this is an improperly configured network, but there could be a legit 
> use-case for it.. You should really only use SLAAC or DHCP6, not both.
> 
> A Windows client will prefer/use the DHCP6 address, but the SLAAC and 
> SLAACtemp address are both valid and usable.
> 
> A Mac client will prefer/use the SLAAC temp address, but the SLAAC and DHCP6 
> address are still valid and usable.
> 
> Android devices dont support DHCP6 (Because google is really stupid_
> 
> IOS Devices behave like OSX devices.
> 
> Most home routers will use DHCP6 address for their own communication,  some 
> will get a SLAAC address, some won't.  Most don't even need the NA address 
> and only require a PD address.
> 
> 
> 
> 
> 
> --
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. 
> http://sdm.link/xeonphi___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] IPv6 progress?

[Derek Wuelfrath]

Hello Tim,

First of all, thanks for your detailled explanation of the required stuff to 
cover all the possible IPv6 addressing cases.

We will do some work to accomplish that missing feature in the next coming 
weeks or so.

I’ll try to update this thread with some links to our Github repo for related 
work.

Cheers!
-dw.

--
Derek Wuelfrath
de...@inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

> On Nov 14, 2016, at 12:59, Tim DeNike  wrote:
> 
> Nada?
> 
> On Thu, Nov 10, 2016 at 8:23 AM, Tim DeNike  wrote:
> Is there any progress being made towards functional IPv6 IP tracking in PF?  
> I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer takes 
> the udp_reflector data I was sending from my DHCPv6 servers.  Its like it 
> just ignores it.  ( I know it only ever looked for the 
> fingerprint/vendor/enterprise info and didn't update).
> 
> #1.  Forwarding DHCPv6 using udp_reflector
> #2.  Tracking IA-NA address per host
> #3.  Making use of Framed-IPv6-Address RADIUS attribute
> #4.  Performing firewall SSO updates
> 
> Less Important (At least to me):
> #5.  Tracking IA-PD subnet per host (as a separate field).
> #6.  Figure out a way to forward ND packets to PF for sites that use SLAAC 
> (Maybe snmp queries to routers or sflow data?)
> 
> In the end, I think we would probably need to expand the pf.iplog table to be 
> more like (Or have a separate table for ipv6 addresses?  I don't know what is 
> going to be most scalable/efficient):
> 
> mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd, 
> start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2, 
> start_time6na2, end_time6na2
> 
> 
> Reasoning for so many fields:
> 
> In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6 
> addresses.
> 
> 1 - SLAAC address
> 2 - SLAAC temporary (Privacy extensions address)
> 3 - DHCP6 address
> 4 - DHCP6 PD Prefix
> 
> Now this is an improperly configured network, but there could be a legit 
> use-case for it.. You should really only use SLAAC or DHCP6, not both.
> 
> A Windows client will prefer/use the DHCP6 address, but the SLAAC and 
> SLAACtemp address are both valid and usable.
> 
> A Mac client will prefer/use the SLAAC temp address, but the SLAAC and DHCP6 
> address are still valid and usable.
> 
> Android devices dont support DHCP6 (Because google is really stupid_
> 
> IOS Devices behave like OSX devices.
> 
> Most home routers will use DHCP6 address for their own communication,  some 
> will get a SLAAC address, some won't.  Most don't even need the NA address 
> and only require a PD address.
> 
> 
> 
> 
> 
> 
> --
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] IPv6 progress?

[Tim DeNike]

Nada?

On Thu, Nov 10, 2016 at 8:23 AM, Tim DeNike  wrote:

> Is there any progress being made towards functional IPv6 IP tracking in
> PF?  I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer
> takes the udp_reflector data I was sending from my DHCPv6 servers.  Its
> like it just ignores it.  ( I know it only ever looked for the
> fingerprint/vendor/enterprise info and didn't update).
>
> #1.  Forwarding DHCPv6 using udp_reflector
> #2.  Tracking IA-NA address per host
> #3.  Making use of Framed-IPv6-Address RADIUS attribute
> #4.  Performing firewall SSO updates
>
> Less Important (At least to me):
> #5.  Tracking IA-PD subnet per host (as a separate field).
> #6.  Figure out a way to forward ND packets to PF for sites that use SLAAC
> (Maybe snmp queries to routers or sflow data?)
>
> In the end, I think we would probably need to expand the pf.iplog table to
> be more like (Or have a separate table for ipv6 addresses?  I don't know
> what is going to be most scalable/efficient):
>
> mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd,
> start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2,
> start_time6na2, end_time6na2
>
>
> Reasoning for so many fields:
>
> In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6
> addresses.
>
> 1 - SLAAC address
> 2 - SLAAC temporary (Privacy extensions address)
> 3 - DHCP6 address
> 4 - DHCP6 PD Prefix
>
> Now this is an improperly configured network, but there could be a legit
> use-case for it.. You should really only use SLAAC or DHCP6, not both.
>
> A Windows client will prefer/use the DHCP6 address, but the SLAAC and
> SLAACtemp address are both valid and usable.
>
> A Mac client will prefer/use the SLAAC temp address, but the SLAAC and
> DHCP6 address are still valid and usable.
>
> Android devices dont support DHCP6 (Because google is really stupid_
>
> IOS Devices behave like OSX devices.
>
> Most home routers will use DHCP6 address for their own communication,
>  some will get a SLAAC address, some won't.  Most don't even need the NA
> address and only require a PD address.
>
>
>
>
>
>
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] IPv6 progress?

[Tim DeNike]

Is there any progress being made towards functional IPv6 IP tracking in
PF?  I noticed after I upgraded from 5.7 to 6.3, pfdhcplistener no longer
takes the udp_reflector data I was sending from my DHCPv6 servers.  Its
like it just ignores it.  ( I know it only ever looked for the
fingerprint/vendor/enterprise info and didn't update).

#1.  Forwarding DHCPv6 using udp_reflector
#2.  Tracking IA-NA address per host
#3.  Making use of Framed-IPv6-Address RADIUS attribute
#4.  Performing firewall SSO updates

Less Important (At least to me):
#5.  Tracking IA-PD subnet per host (as a separate field).
#6.  Figure out a way to forward ND packets to PF for sites that use SLAAC
(Maybe snmp queries to routers or sflow data?)

In the end, I think we would probably need to expand the pf.iplog table to
be more like (Or have a separate table for ipv6 addresses?  I don't know
what is going to be most scalable/efficient):

mac, ip, start_time, end_time, ip6, start_time6, end_time6, ip6pd,
start_time6pd, end_time6pd, ip6na1, start_time6na1, end_time6na1, ip6na2,
start_time6na2, end_time6na2


Reasoning for so many fields:

In a network with both SLAAC and DHCP6 enabled, a device could have 4 ipv6
addresses.

1 - SLAAC address
2 - SLAAC temporary (Privacy extensions address)
3 - DHCP6 address
4 - DHCP6 PD Prefix

Now this is an improperly configured network, but there could be a legit
use-case for it.. You should really only use SLAAC or DHCP6, not both.

A Windows client will prefer/use the DHCP6 address, but the SLAAC and
SLAACtemp address are both valid and usable.

A Mac client will prefer/use the SLAAC temp address, but the SLAAC and
DHCP6 address are still valid and usable.

Android devices dont support DHCP6 (Because google is really stupid_

IOS Devices behave like OSX devices.

Most home routers will use DHCP6 address for their own communication,  some
will get a SLAAC address, some won't.  Most don't even need the NA address
and only require a PD address.
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users