Main Nav

Message from msheiny@seas.upenn.edu

We currently have IPv6 enabled (SLAAC) in our environment and need to move towards DHCPv6 and a captive registration system. Does anyone have any recommendations for products on this front (commercial or open-source)? I saw a lot of people recommended PacketFence on a previous NAC inquiry here, but as far as I could tell they don't support IPv6 yet. Thanks in advance! Mike ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

I would be curious about this as well, if anyone has any info on this subject. Thanks. Paul Kern (RIS) 605.367.7594
I have been thinking a good deal about this and am happy to share experience, thoughts, and (mis?) understandings.  We have enabled v4/v6 dual stack on our residential network, using slaac.  We currently use NetReg on the resnet for registration.  We also use NetDisco to track IP_addr/mac/switchport correlations.  (The most recent version of NetDisco does support V6 and is working quite well.)  

There seems to be an agreement among folks who really understand IPV6 on two things:
1) Slaac is broken
2) DHCPv6 is broken.  

The brief analysis seems to be that Slaac will not issue a DNS server (this is *supposed* to be addressed in forthcoming implentations.)  DHCPv6 does not issue a default gateway, so RAs are still needed for the router.  (Spoofed RAs are a whole other topic :-(

NetReg, and I believe PacketFence issue non-routing ip addresses and a spoofed DNS server (that resolves everything back to it's own registration page) until there has been registration.  These are always subject to being circumvented by knowledgeable users, however so far most of us have found them "good enough."  We currently have a dual-stack internal DNS server that will resolve names to both V4 and V6 addresses (where the V6 address exists for that DNS name query.)  Our thinking is that if a machine has not registered, even though they will receive a valid V6 address and router via Slaac, they will still not have a valid DNS server till they have registered, and therefore cannot get to the internet on either V4 or V6 till registration.  Of course, this would not work in a pure V6 environment, but that is a long long way away for us :-)  On registration, they receive a valid v4 addr, a valid v4 gw, a valid DNS server and the ability to reach it.  Then they can get out on V4 or V6.  I suppose someone could get to the V6 internet via ip address prior to registration, but that does not seem like a issue for now.

Infoblox tells us that they support V4 and V6 IPAM and DHCP: anyone using this with good results?  We have had other fiscal priorities, and it is kind of pricey, so we are not likely to use it soon.   

Would like to hear others' experiences.
best,
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn@adelphi.edu
5168773327