How are you doing DHCPv6 ?

Ray Soucy rps at maine.edu
Tue Jan 24 07:51:20 CST 2012


"You shouldn't assume a MAC isn't constant" should read "is", double
negative failure.

On Tue, Jan 24, 2012 at 8:49 AM, Ray Soucy <rps at maine.edu> wrote:
> You shouldn't assume a MAC isn't constant.  Our students spoof their
> MACs all the time (thinking it will save them from getting a DMCA
> notice).
>
> The RFC suggests that DUIDs are stored in non-volatile memory or that
> an algorithm be used that can consistently reproduce the DUID (and
> IAID) for a system in the absence of persistent storage.
>
> For fixed hardware devices, I suspect most would opt for the use of
> DUID-LL type, which essentially the MAC with a DUID preamble, and
> doesn't need to be stored in memory since it's based on a MAC that can
> not be changed.  It would be simple to create a DUID sticker at that
> point, even retroactively.  I think the idea that DUID is random and
> getting worked up that it's not written on the side of the device is a
> little more FUD than fact.
>
> There _are_ things we need to address to make DHCPv6 easier to roll
> out (mainly on the server side), but just making bogus nitpick attacks
> distracts from the real issues, IMHO.
>
>
>
>
> On Mon, Jan 23, 2012 at 6:12 PM, Randy Carpenter <rcarpen at network1.net> wrote:
>>
>> Controlled by software = not constant.
>>
>> It is also not likely to be something that is knowable on a piece of electronic gear that is not a PC, nor will it be something that can be printed on the outside of the device, like most today.
>>
>> -Randy
>>
>>
>> ----- Original Message -----
>>> Yes, DUID and IAID should be persistent on systems.  If they are not
>>> then they are not following the RFC.
>>>
>>> Note that bad practices, though, can remove that persistence (e.g.
>>> deleting the DUID, or replicating the DUID on other systems).
>>>
>>> On Mon, Jan 23, 2012 at 5:56 PM, Karl Auer <kauer at biplane.com.au>
>>> wrote:
>>> > On Mon, 2012-01-23 at 17:26 -0500, Randy Carpenter wrote:
>>> >> One major issue is that there is no way to associate a user's MAC
>>> >> (for
>>> >> IPv4) with their DUID. I haven't been able to find a way to
>>> >> account
>>> >> for this without making the user authenticate once for IPv4, and
>>> >> then
>>> >> again for IPv6. This is cumbersome to the user. Also, in the past
>>> >> there have been various reason why we want to pre-authenticate a
>>> >> client's MAC address (mostly for game consoles, and such, which
>>> >> have
>>> >> the MAC written on the outside of the machine). How can this be
>>> >> done
>>> >> with IPv6, which the DUID is not constant?
>>> >
>>> > Perhaps I misunderstand you (or the RFCs) but it seems to me that
>>> > the
>>> > DUID *is* constant. Reading section 9 of RFC 3315, it's pretty
>>> > clear
>>> > that a DUID is generated once, according to simple rules, and does
>>> > not
>>> > change once it has been generated. Barring intervention, of course.
>>> >
>>> > The problem is how to either find out ahead of time what DUID a
>>> > client
>>> > has OR how to impose a specific DUID on a client as part of
>>> > provisioning
>>> > it. Neither of those issues looks particularly intractable,
>>> > especially
>>> > if vendors start shipping with pre-configured DUIDs that are
>>> > written on
>>> > the boxes.
>>> >
>>> > What do you mean by "authenticate"? Do you mean something like
>>> > 802.1x?
>>> >
>>> > Regards, K.
>>> >
>>> > --
>>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> > Karl Auer (kauer at biplane.com.au)
>>> > http://www.biplane.com.au/kauer
>>> >
>>> > GPG fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017
>>> > Old fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
>>>
>>>
>>>
>>> --
>>> Ray Soucy
>>>
>>> Epic Communications Specialist
>>>
>>> Phone: +1 (207) 561-3526
>>>
>>> Networkmaine, a Unit of the University of Maine System
>>> http://www.networkmaine.net/
>>>
>>>
>>>
>
>
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/



-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/



More information about the NANOG mailing list