IPv6 "bloat"
Matt Hoppes
mattlists at rivervalleyinternet.net
Sat Mar 19 23:20:05 UTC 2022
On a public network (such as WiFi - sure). On a private network where
the only authentication taking place is to the modem which is provided
by the service provider, not so much. It's a closed environment. The
modem demarcs to the end-user and the end-user never touches the
switching fabric.
Interesting about DHCPv6 Option 79. I had not run across that before.
I will look into that more. Thank you.
On 3/19/22 7:18 PM, Michael Thomas wrote:
> Thanks, I didn't think that they'd something that interfered with AAA.
> Using a MAC address as authentication seems sort of sketch to me in the
> first place.
>
> Mike
>
> On 3/19/22 4:14 PM, Tom Beecher wrote:
>>
>> Primarily the ability to end-to-end authenticate end devices. The
>> primary and largest glaring issue is that DHCPv6 from the client does
>> not include the MAC address, it includes the (I believe) UUID.
>>
>>
>> DHCPv6 Option 79
>>
>> https://datatracker.ietf.org/doc/html/rfc6939
>>
>>
>>
>> On Sat, Mar 19, 2022 at 6:58 PM Matt Hoppes
>> <mattlists at rivervalleyinternet.net> wrote:
>>
>>
>>
>> On 3/19/22 6:50 PM, Michael Thomas wrote:
>> >
>> > On 3/19/22 3:47 PM, Matt Hoppes wrote:
>> >> It has "features" which are at a minimum problematic and at a
>> maximum
>> >> show stoppers for network operators.
>> >>
>> >> IPv6 seems like it was designed to be a private network
>> communication
>> >> stack, and how an ISP would use and distribute it was a second
>> though.
>> >
>> > What might those be? And it doesn't seem to be a show stopper
>> for a lot
>> > of very large carriers.
>>
>> Primarily the ability to end-to-end authenticate end devices. The
>> primary and largest glaring issue is that DHCPv6 from the client does
>> not include the MAC address, it includes the (I believe) UUID.
>>
>> We have to sniff the packets to figure out the MAC so that we can
>> authenticate the client and/or assign an IP address to the client
>> properly.
>>
>> It depends how you're managing the network. If you're running
>> PPPoE you
>> can encapsulate in that. But PPPoE is very 1990 and has its own
>> set of
>> problems. For those running encapsulated traffic, authentication
>> to the
>> modem MAC via DHCP that becomes broken. And thus far, I have not
>> seen a
>> solution offered to it.
>>
>>
>> Secondly - and less importantly to deployment, IPv6 also provides a
>> layer of problematic tracking for advertisers. Where as before many
>> devices were behind a PAT, now every device has a unique ID --
>> probably
>> for the life of the device. Marketers can now pinpoint down not
>> just to
>> an IP address that identifies a single NAT interface, but each
>> individual device. This is problematic from a data collection
>> standpoint.
>>
More information about the NANOG
mailing list