tl;dr: What is the proper IPv6 way to deny unauthorized devices access to the LAN and WAN?
We have to come up with a concept to roll out IPv6 as a project for our university. Currently unauthorized devices will not get an IPv4 address, because of MAC address matching by the DHCP server. Every authorized device gets the same IPv4 everytime, and everyone else gets nothing. I know that this is not much of useful security mechanism, because MACs are easily spoofed, but our "project manager" would prefer to do it the same way with IPv6.
Now, there are a few problems with DHCPv6 and MAC address matching. First, DHCPv6 uses DUIDs and it is pretty difficult to predict what kind of DUID the client sends. We tried different DHCPv6 servers (KEA, ISC dhcpd, dhcpy6d), and only dhcpy6d allowed us to match the MAC addresses consistently. But another problem is the router advertisement. Most clients are Linux systems. If you configure the Network Manager to get an address from the DHCPv6 server, and not do SLAAC, it ignores the router advertisement sent by radvd. This means no internet access over IPv6 and is not acceptable. If you use SLAAC, you get the route, but that means that everyone gets a valid address and thats not acceptable too.
We also thought about "sticky port" configuration on the switches, but that would be an enormous configuration task, and is just not feasible.
I hope that someone with a little more IPv6 experience can give us a few hints.
No comments:
Post a Comment