Hello,

I might be missing something really obvious here, but I can't find 
anything in the archives and don't know of a standard solution.

We are facing a problem that enabling IPv6 on a subnet (which we are only 
doing when it is required and it's limited in scope, so far) instantly 
causes a pile of machines with IPv6 enabled to spring into life and start 
using it.  Of course, this is just what IPv6 was designed to do.

However, we then have a problem of registration which is in two parts.


The first is that of DNS registration - like most people on here I 
suspect, we register a machine in the DNS when we allocate it an IP 
address.  With IPv6 and EUI-64, we aren't really 'allocating' an address 
and a host can start using an unregistered IP address (which isn't the 
'clashing' issue it was in IPv4 but is slightly annoying).  The problem is 
exacerbated with RFC3041 so-called 'Privacy Extensions'.

Does anyone have any suggestions for this?  Is there a feature in BIND or 
some other DNS server we've not come across?


Another problem is that of machines just working.  I know we shouldn't 
rely on not having a valid IP address as a suitable security measure, but 
the fact is that we do (and probably will for a while to come).  We can 
obviously take steps to stop Router Advertisement, but I think it's the 
wrong way to go about things and probably ultimately doomed to fail. 
Besides we're trying to break one of things IPv6 has had designed into it 
as a feature from the word go.

This is actually more complex problem than it first appears because people 
with IPv6-enabled hosts might suddenly gain an IPv6 address without 
knowing and find themselves visible in a whole different address space 
(with different firewall rules) and so could be accessing services (and 
being accessed) via means they were unaware of.

In fact, it is an even more complex problem than that was we use 
multinetting with a combination of private (RFC1918) and public IPv4 
addresses as a [not exactly satisfactory] way of keeping internal-only 
hosts hidden from the internet, as well as attempting to alleviate our 
public IP address shortage.  With IPv6 enabled, a device can be visible 
with a public address in IPv6 but a private address in IPv4 with the 
mistaken belief only the latter is active.


Of course, the correct solution here is to disable the IPv6 services on a 
host but, being realistic, users tend to plug things in and only seek 
assistance when things don't work.

Thanks for any assistance in advance,

   - Bob


-- 
  Bob Franklin <[log in to unmask]>              +44 1223 748479
  Network Division, University of Cambridge Computing Service