|
DHCP with IPv6 ?
![[ca]](/s/countries/ca.gif) Shadow Hawkins on Friday, 12 March 2010 08:44:47
On our mid-sized IPv4 network at a research organization, we use DHCP to hand out static ip addresses and keep track of machines in DNS - if there's a problem with some ip address (malware, takedown notice etc.) we can usually find where it is from the hostname
Using IPv6 stateless address configuration, e.g. with radvd, I have no idea what addresses are allocated to what machines. At least, I understand there is an algorithm based on MAC address, which is different on different operating systems and depends on what privacy option is used. So tracking down a machine would be a rather painful process of packet inspection and MAC extraction.
I understand that ISC dhcpd 4.1.0 supports DHCP over IPv6, which would give a familiar allocation method like in IPv4. Is anyone using this successfully ?
DHCP with IPv6 ?
First of all your magical keyword is: 802.1x -> authenticate who/what is using the link.
That solves your Layer2 issue. Then for finding culprits, install a tool like arpwatch (IPv4) and ndpmon (IPv6) to monitor which addresses are being used by which host; well at least MAC address, but they authenticated themselves with 802.1x thus you know who they are trying to be.
If you have a larger environment (or even a small one) you can always go into the management switch (web-if or if lucky ssh/telnet) and get the mac-table to interface ID from there, thus then you also know where the culprit physically is located.
As for DHCPv6, though it will indeed give you the ability to assign a single IP to a specific device, in IPv6 they are still able to use any other address out of the /64, as such, you will have to look at the switch/arpwatch/ndpmon anyway.
Thus DHCP does not solve your problem, it will only help in the cases where hosts are being nice.
DHCP with IPv6 ?
Shadow Hawkins on Sunday, 14 March 2010 18:44:35
Thank you for the info re. ndpmon
Most of the time hosts are being nice - or users don't know how to hide. I've only seen malware use unallocated IPv4 addresses once.
There is still an issue of how to trace things when not in full forensic mode, e.g. checking email or webserver logs for "I can't send mail" or "this form won't work". Currently IPv4 resolves to names in DNS, because we hand out static names in DHCP.
How can one populate reverse DNS in IPv6 if using stateless autoconfiguration ?
DDNS ? We have been uncomfortable with random Windows endpoints being able to rewrite DNS records, and prefer to limit access to trusted servers.
Is there any way to trace connections over the Internet ?
Currently many organizations provide reverse DNS, and if not I can query whois at ARIN, RIPE etc. to determine at least a network provider. I tried that in IPv6, but maybe I just did not have the correct syntax.
Most of the time, users aren't interested in hiding or privacy. They come to me with questions like "can't you block this spam?" or "why isn't my mail from example.org getting through ?" and have no idea how to look up their own ip address. And the more I think about it, the more I realize that things like SSH key filters, spam blacklists, webserver access rules etc. etc. depend on having working reverse DNS, or at least a knowledge of what netblocks belong to whom.
DHCP with IPv6 ?
Shadow Hawkins on Sunday, 14 March 2010 22:23:28
Re. whois to ARIN - when I try that now, it works fine. I'm not sure what I did earlier.
E.g.
whois 2001:4978:f:431::2
whois NET6-2001-4978-F-1@whois.arin.net
DHCP with IPv6 ?
There is still an issue of how to trace things when not in full forensic mode, e.g. checking email or webserver logs for "I can't send mail" or "this form won't work".
Hostnames, especially from DNS don't say anything. Like the IP address itself, the actual host attached to it can change. Doing 'security' based on DNS is really bad.
Currently IPv4 resolves to names in DNS, because we hand out static names in DHCP. DDNS ? We have been uncomfortable with random Windows endpoints being able to rewrite DNS records, and prefer to limit access to trusted servers.
If you have static mappings from IP<->DNS, then why not simply store the IP in the first place?
You can easily create a PowerDNS backend which does on-the-fly generation of IP addresses btw.
Is there any way to trace connections over the Internet ?
NetFlow/SFlow/tcpdump? Depends on what you need.
Currently many organizations provide reverse DNS
You mean 4.3.2.1.in-addr.arpa. IN PTR www.fbi.gov.?
Reverse DNS does not mean anything as long as one does check the forward at the same time. And then it was only valid for that point in time, and maybe spoofed if not DNSSEC signed.
Most of the time, users aren't interested in hiding or privacy.
Most users actually care a lot about privacy and quite a few want to hide too, that is why networks like Tor etc exist.
They come to me with questions like "can't you block this spam?"
Use a proper spamfilter.
or "why isn't my mail from example.org getting through ?"
All kinds of issues ;)
and have no idea how to look up their own ip address. And the more I think about it, the more I realize that things like SSH key filters, spam blacklists, webserver access rules etc. etc. depend on having working reverse DNS, or at least a knowledge of what netblocks belong to whom.
Even with RA hosts are 'static', as they get the /64 prefix from the RA and the EUI-64 part from the host, which tends to be equal as the MAC address. Of course that is not the case when the privacy (3041) options are enabled.
In short: use IP prefixes, not reverse DNS for your 'security'.
DHCP with IPv6 ?
Shadow Hawkins on Wednesday, 17 March 2010 18:44:09 Hostnames, especially from DNS don't say anything. Like the IP address itself, the actual host attached to it can change. Doing 'security' based on DNS is really bad.
In an ideal world, we could avoid it. With what we have, which includes things like process controllers running NFS using ip address for authentication, we are stuck with it for now. If we control the DNS, then names are equivalent to ip address. With ingress filtering, we can ensure that at least a source is onsite. True, we could have onsite spoofing, or MAC spoofing come to that, and certificate-based authentication could be used on modern equipment, plus we can firewall the old stuff to be more secure. But even implementing client-side certificates in HTTP is painful, at least in end-user training if nothing else, so we still use netblock/rDNS access control to semi-private web resources.
Most users actually care a lot about privacy and quite a few want to hide too, that is why networks like Tor etc exist.
Tor has a very small membership compared to the total user base. Facebook users seem quite willing to sacrifice privacy to run apps like "what kind of animal are you?". But I digress. If users are on our network and want our help debugging their network problems, they'd better be using an identifiable endpoint. DNS may not be secure, but it's convenient, widely deployed, and well-understood.
> They come to me with questions like "can't you block this spam?"
Use a proper spamfilter.
Perhaps a bad example. But we whitelist some partners, on the basis that most people would rather
get 50 spams than lose one important email. and some of that is based on the resolved domain name of the last relay. Not all our partners (or ourselves) have implemented DKIM yet.
Even with RA hosts are 'static' ... Of course that is not the case when the privacy (3041) options are enabled.
Which I understand is the default state in Windows >= Vista
Thank you for the comments and information, which are at least thought-provoking and useful.
|
![[ch]](/s/countries/ch.gif)
on Friday, 12 March 2010 10:31:00
Posting is only allowed when you are