How do I configure my this IPv4- situation in IPv6 ?
Shadow Hawkins on Sunday, 24 July 2011 20:56:37
Hello,
Before, I had configured my network with 4 subnets. 0 = VPN address range; 1 = wired network; 2 = wireless network; 3 = guests.
There were a limited number of static IP addresses (wired-network devices like printer and some other fixed-IP device). There was a DHCP server, which (based on MAC address) allocated the IP addresses. Based upon IP address, access to resources (mainly samba network shares) was granted or disabled. There was room for some (limited number of) guests in the DHCP address range (could only browse the Internet or play games with my son). I had control (in the logs) over the allocated IP (guest) addresses.
Now, with IPv6's auto-configuration, combined with Windows privacy extensions, this whole concept is somewhat less secure and straightforward in my opinion :
- anyone (wirelessly) plugging into the network, requesting "some" IP address will now get one of plenty IPv6 addresses; there's no limit anymore on "how much" guests I can admit in the network, let alone which IP address I can allocate.
- even if I restrict the own Windows computers's usage of the (Windows) privacy extensions, still I see 2 extra IPv6 addresses present in these Windows computer's ipconfig's outputs. Extern Windows computers aren't even "IPv6 address- controllable" at all. In other words : control over allocation of IPv6 IP addresses is basically gone.
- my network's DNS lookups get complicated this way, as the one-to-one link IP address vs. hostname is gone.
- access to the samba network shares isn't that straightforward anymore either, because my former division in subnets is basically gone too.
- I haven't found too much options in radvd.conf which could help me in this setup either.
My question : how do I handle (one or more of) these issues the best ? Is maybe a basic question, but one and a half week ago, I was still "only" thinking in IPv4- terms. So I may not (yet) have catched all configuration possibilities...
How do I configure my this IPv4- situation in IPv6 ?
Jeroen Massar on Sunday, 24 July 2011 21:17:06 - anyone (wirelessly) plugging into the network, requesting "some" IP address will now get one of plenty IPv6 addresses; there's no limit anymore on "how much" guests I can admit in the network, let alone which IP address I can allocate.
If one can connect to your wired or wireless they can also just steal an address, works just fine.
You could implement IEEE 802.1x on both wired and wireless if you want to properly control this.
- even if I restrict the own Windows computers's usage of the (Windows) privacy extensions, still I see 2 extra IPv6 addresses present in these Windows computer's ipconfig's outputs. Extern Windows computers aren't even "IPv6 address- controllable" at all. In other words : control over allocation of IPv6 IP addresses is basically gone.
Normally if you put that kind of control in a network you have the computers in that network under your control and for Windows one can disable all kind of things using Active Directory.
The other option of course is to enable DHCPv6, but, that also does not limit anybody still manually configuring an address, just like they could in IPv4.
- my network's DNS lookups get complicated this way, as the one-to-one link IP address vs. hostname is gone.
Disable the privacy nonsense on the hosts you own, then you got only 1 IPv6 address left which is based off the MAC address and thus is as good as static. This address you store in DNS.
- access to the samba network shares isn't that straightforward anymore either, because my former division in subnets is basically gone too.
Why would those subnets be gone? Each interface you can give a different /64. And one could even give different prefix to other addresses with the newer radvds, though that is just hackish, as one when is on a network you can always configure a different address.
Your best answer to this is the same for IPv4: 802.1x
Anything else is not real 'security' it is only imagined security.
Posting is only allowed when you are logged in. |