Hello,
I might be missing something really obvious here, but I can't find
anything in the archives and don't know of a standard solution.
We are facing a problem that enabling IPv6 on a subnet (which we are only
doing when it is required and it's limited in scope, so far) instantly
causes a pile of machines with IPv6 enabled to spring into life and start
using it. Of course, this is just what IPv6 was designed to do.
However, we then have a problem of registration which is in two parts.
The first is that of DNS registration - like most people on here I
suspect, we register a machine in the DNS when we allocate it an IP
address. With IPv6 and EUI-64, we aren't really 'allocating' an address
and a host can start using an unregistered IP address (which isn't the
'clashing' issue it was in IPv4 but is slightly annoying). The problem is
exacerbated with RFC3041 so-called 'Privacy Extensions'.
Does anyone have any suggestions for this? Is there a feature in BIND or
some other DNS server we've not come across?
Another problem is that of machines just working. I know we shouldn't
rely on not having a valid IP address as a suitable security measure, but
the fact is that we do (and probably will for a while to come). We can
obviously take steps to stop Router Advertisement, but I think it's the
wrong way to go about things and probably ultimately doomed to fail.
Besides we're trying to break one of things IPv6 has had designed into it
as a feature from the word go.
This is actually more complex problem than it first appears because people
with IPv6-enabled hosts might suddenly gain an IPv6 address without
knowing and find themselves visible in a whole different address space
(with different firewall rules) and so could be accessing services (and
being accessed) via means they were unaware of.
In fact, it is an even more complex problem than that was we use
multinetting with a combination of private (RFC1918) and public IPv4
addresses as a [not exactly satisfactory] way of keeping internal-only
hosts hidden from the internet, as well as attempting to alleviate our
public IP address shortage. With IPv6 enabled, a device can be visible
with a public address in IPv6 but a private address in IPv4 with the
mistaken belief only the latter is active.
Of course, the correct solution here is to disable the IPv6 services on a
host but, being realistic, users tend to plug things in and only seek
assistance when things don't work.
Thanks for any assistance in advance,
- Bob
--
Bob Franklin <[log in to unmask]> +44 1223 748479
Network Division, University of Cambridge Computing Service
|