Re: [v6ops] Implementation Status of PREF64

[Lorenzo Colitti <lorenzo@google.com>]

You're right. 802.1x is L2 only, and authenticates the entire MAC address
(with all its IPv4 and IPv6 addresses).

But Owen: the conclusion is the same. If you have 802.1x you don't need
DHCPv6 for tracking, all you need to do is to be able to track which IPv6
addresses were assigned to a given client over time. Basically, the
neighbour binding logging that many vendors alreay support. +Enno Rey
<erey@ernw.de> provided a good summary in his blog post Does One Need
DHCP(v6)?
<https://theinternetprotocolblog.wordpress.com/2020/03/14/does-one-need-dhcpv6/>

On Tue, Sep 28, 2021 at 11:18 AM Mark Smith <markzzzsmith@gmail.com> wrote:

> I'm broadly quite confused by both of these scenarios, in the sense that I
> thought 802.1X just used layer 2 frames (because it's an IEEE protocol),
> and authentication needed to be completed successfully on a host's
> interface before IP could be used. No pre-existing IPv4 or IPv6
> connectivity was required to successfully perform 802.1X.
>
> In other words, 802.1X is layer 2 access control to the network, at the
> device's layer 2 point of attachment, that either grants or denies
> permission to send and receive layer 2 frames other than 802.1X frames.
>
> Since 802.1X authentication is per layer 2 point of attachment, that then
> creates the handle for the layer 2 device to do things like record layer 3
> addresses used by the 802.1X authenticated entity, regardless of how the
> IPv4 and/or IPv6 addresses are acquired, generated or configured.
>
> Regards,
> Mark.
>
> On Tue, 28 Sep 2021, 11:11 Lorenzo Colitti, <lorenzo@google.com> wrote:
>
>> On Tue, Sep 28, 2021 at 6:04 AM Owen DeLong <owen=
>> 40delong.com@dmarc.ietf.org> wrote:
>>
>>>
>>> In the tightest forms, it goes something like this (oversimplified and
>>> generic):
>>>
>>> 0. Port starts out locked down to communicating with DHCPv6 server and
>>> NAC authenticator only.
>>> 1. Use LL address to send DHCPv6 request.
>>> 2. Get DHCPv6 address and use that for 802.1x authentication. There are
>>> a variety of options
>>> here including authentication of not only the machine, but also the
>>> individual currently
>>> using the machine and the classification of network privileges based on
>>> either or both
>>> of these factors, etc.
>>> 3. A filter is added to your port permitting your presented DHCPv6
>>> address (which the NAC authenticator
>>> has validated matches to your MAC and LL address) that permits your LL
>>> and DHCPv6 addresses
>>> to communicate with the rest of the network. Any additional policies can
>>> also be added at this
>>> point if the administrator chooses.
>>>
>>
>> I don't see how DHCPv6 is required for any of this. What you describe
>> above boils down to, "a machine is allowed to use the network only if its
>> MAC address is acceptable to the network". That can be done with SLAAC just
>> as well. Let me reword for SLAAC:
>>
>> 0. Port starts out locked down to communicating with NAC authenticator
>> only.
>> 1. Use LL address to send RS.
>> 2. Get IPv6 address from SLAAC and use that for 802.1x authentication.
>> There are a variety of options
>> here including authentication of not only the machine, but also the
>> individual currently
>> using the machine and the classification of network privileges based on
>> either or both
>> of these factors, etc.
>> 3. A filter is added to your port permitting your presented MAC address
>> to to communicate with the
>> rest of the network. Any additional policies can also be added at this
>> point if the administrator chooses.
>>
>> This is better than the DHCP version above because it allows the client
>> to use multiple IP addresses and does not need to be re-done when the IP
>> address changes.
>>
>