Main Nav

Message from msheiny@seas.upenn.edu

We currently have IPv6 enabled (SLAAC) in our environment and need to move towards DHCPv6 and a captive registration system. Does anyone have any recommendations for products on this front (commercial or open-source)? I saw a lot of people recommended PacketFence on a previous NAC inquiry here, but as far as I could tell they don't support IPv6 yet. Thanks in advance! Mike ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

I would be curious about this as well, if anyone has any info on this subject. Thanks. Paul Kern (RIS) 605.367.7594
I have been thinking a good deal about this and am happy to share experience, thoughts, and (mis?) understandings.  We have enabled v4/v6 dual stack on our residential network, using slaac.  We currently use NetReg on the resnet for registration.  We also use NetDisco to track IP_addr/mac/switchport correlations.  (The most recent version of NetDisco does support V6 and is working quite well.)  

There seems to be an agreement among folks who really understand IPV6 on two things:
1) Slaac is broken
2) DHCPv6 is broken.  

The brief analysis seems to be that Slaac will not issue a DNS server (this is *supposed* to be addressed in forthcoming implentations.)  DHCPv6 does not issue a default gateway, so RAs are still needed for the router.  (Spoofed RAs are a whole other topic :-(

NetReg, and I believe PacketFence issue non-routing ip addresses and a spoofed DNS server (that resolves everything back to it's own registration page) until there has been registration.  These are always subject to being circumvented by knowledgeable users, however so far most of us have found them "good enough."  We currently have a dual-stack internal DNS server that will resolve names to both V4 and V6 addresses (where the V6 address exists for that DNS name query.)  Our thinking is that if a machine has not registered, even though they will receive a valid V6 address and router via Slaac, they will still not have a valid DNS server till they have registered, and therefore cannot get to the internet on either V4 or V6 till registration.  Of course, this would not work in a pure V6 environment, but that is a long long way away for us :-)  On registration, they receive a valid v4 addr, a valid v4 gw, a valid DNS server and the ability to reach it.  Then they can get out on V4 or V6.  I suppose someone could get to the V6 internet via ip address prior to registration, but that does not seem like a issue for now.

Infoblox tells us that they support V4 and V6 IPAM and DHCP: anyone using this with good results?  We have had other fiscal priorities, and it is kind of pricey, so we are not likely to use it soon.   

Would like to hear others' experiences.
best,
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn@adelphi.edu
5168773327


Close
Close


Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.