Jim Jackson wrote:
> On Fri, 11 Jan 2008, Tom Griffin wrote:
>> Hello all,
>>
>> We have been experimenting with IPv6 on our network and are preparing
>> for a potential campus-wide deployment, but have hit a snag when it
>> comes to logging and traceability of user access.
>>
>> How are other institutions implementing AAA for IPv6 services, and
>> does JANET have any recommendations as to how we can meet our
>> obligations as set out in the AUP whilst using IPv6.
>>
>
> Any interface can have any number of IPv6 addresses, and under Windows
> IPv6 privacy addresses are used by default, meaning that the IPv6
> addresses change in time for the same machine.
>
> At the moment with IPv4, we poll the router interfaces for all the
> campus LANs pulling the arp entries into a database along with a
> timedate stamp. Our discussions here at Uni. of Leeds (last monday
> actually - wierd synchronicity there) suggested we are going to have
> to do something similar, by pulling the neighbour discovery data.
> We've not done much
> research, but I don't know the relevant SNMP MIB, or even if it's been
> defined? Anyone know? We then have to wait for the manufacturers to
> implement it! Of course we could do some TCL/Expect or perl/expect
> hackery.
>
> But it's a good timely question.
We have had a similar discussion here and came to the same conclusion.
There is an IPv6 MIB for gathering such information
(http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=ipv6NetToMediaNetAddress)
but I'm unsure of Cisco's support for this (our current IOS certainly
doesn't support it).
We also thought that Expect scripting would be a viable alternative, but
neighbour table entries seem to age in a different way to ARP entries
and come and go constantly, meaning that any polling script would have
to be polling on a relatively small delay in order to gather the data
for all users (the ageing may be configurable, but I have not found an
option for this yet). Does anyone have any information on how Cisco
routers handle the ageing of the v6 neighbour table in order for us to
find a happy medium between polling and number of entries?
|