Hi,
Jim Jackson <[log in to unmask]> [20080111 10:01:32 +0000]:
>
> On Fri, 11 Jan 2008, Tom Griffin wrote:
>
> >Hello all,
> >
> >We have been experimenting with IPv6 on our network and are preparing for
> >a potential campus-wide deployment, but have hit a snag when it comes to
> >logging and traceability of user access.
> >
> >How are other institutions implementing AAA for IPv6 services, and does
> >JANET have any recommendations as to how we can meet our obligations as
> >set out in the AUP whilst using IPv6.
> >
>
> Any interface can have any number of IPv6 addresses, and under Windows
> IPv6 privacy addresses are used by default, meaning that the IPv6
> addresses change in time for the same machine.
>
> At the moment with IPv4, we poll the router interfaces for all the campus
> LANs pulling the arp entries into a database along with a timedate stamp.
> Our discussions here at Uni. of Leeds (last monday actually - wierd
> synchronicity there) suggested we are going to have to do something
> similar, by pulling the neighbour discovery data. We've not done much
> research, but I don't know the relevant SNMP MIB, or even if it's been
> defined? Anyone know? We then have to wait for the manufacturers to
> implement it! Of course we could do some TCL/Expect or perl/expect
> hackery.
>
My brain (still in it's pre-coffee stage) is suggesting something overly
complex but doable.
A remote span with a filter to send *all* neighbour discovery to a single
interface with a Linux/*BSD box on the other side. This box then runs a Perl
script that calls upon Net::Pcap and then decodes packets appropriately. You
then do get live data...all you need to do is make sure your edge kit is not
overly susceptible to MAC spoofing (802.1x to bind user/host's to MAC's).
Just a thought off the top of my head.
Cheers
Alex
|