IPv6 and monitoring, logging and security

quist-uoft · ‎04-27-2015

I was wondering if there are any guides for providing network administrators with tools or procedures for logging of IPv6 flows?

We have, in a large campus situation, a need to be able to "back calculate" which person or user was in possession of a given source IP address at a given time. E.g. this is necessary to manage and address the frequent "cease and desist" notices which are sent to the admin or technical contacts of network address allocations. What is received is a time stamp, notice of infraction as well as a source IPv4 or in the future case, IPv6 address.

Given that IPv6 addresses are more "disposable" and "dynamic" than IPv4 ones, what best practices exist, in terms of DNS, DHCPv6 services to track down past users of old IPv6 addresses.

Many thanks in advance.

Russell Sutherland
Supervisor, Network Development | Enterprise Infrastructure Solutions
Information Technology Services | University of Toronto
4 Bancroft Ave., Rm. 102 | Toronto, ON M5S 1C1

russell.sutherland@utoronto.ca
+1.416.978.0470 ~ tel

Seb Rupik · ‎04-28-2015

Hi Russell,

I'm in the process of writing a program to do this as I've not seen anything that provides this function available.

For your wired network you should have an inventory of assets containing at least MAC addresses and the user who owns the device.

On your wireless networks you will probably be using SLAAC and I guess you must be using 802.1x in which case you will be able to identify users to MAC addresses.

Essentially you need to periodically gather (less than the age timer) the IPv6 neighbour table from your core switches (or any edge etc, if it routes), this will give you the GUA and ULA against the MAC address. If you using an type of authentication parse those logs for usernames and MAC addresses.

Stir it all together in a database and you should have timestamp, IPv6 address, MAC and user .

cheers,

Seb.