Deny unknown clients on DHCP6

[RamSense]

I IPv6 since a couple of days.
With DHCP4 I have the option [Deny unknown clients] so that a new client with the wifi login and password, but not in the list, can't connect.

I can not find this option under DHCP6. Where is this option? Or can't I lock DHCP6 like DHCP4 ?

[marjohn56]

Not easily as dhcpdv6 relies on a DUID rather than mac address, and a DUID can come in many flavours. The other issue is that Android devices will not use dhcpdv6 and will only use SLAAC and there's no way to stop the devices getting an address. In saying that you can always block them if they connect using wifi. I've read somewhere that you can try using firewall rules to block individual devices, but that's not fun, and those devices will always get a link-local address on the LAN too.

[RamSense]

thanks for your explanation. Sounds like a lot of fun indeed :-)
I will go with the static DHCPv6 so I can keep a fast look on known and " unknown" devices.

[marjohn56]

The usual way of blocking unknown devices on a corporate network using port mac locks on the switches and using radius for wifi solves the issues completely. Of course you can always use the same methods in a domestic environment if you really need to.

[chemlud]

Not easily as dhcpdv6 relies on a DUID rather than mac address, and a DUID can come in many flavours. The other issue is that Android devices will not use dhcpdv6 and will only use SLAAC and there's no way to stop the devices getting an address. In saying that you can always block them if they connect using wifi. I've read somewhere that you can try using firewall rules to block individual devices, but that's not fun, and those devices will always get a link-local address on the LAN too.

Which leads me to the conclusion that ipv6 is malware. When will a firewall be able to get this protocoll under proper (user) control?

radius and switch mods are fine, but I want to have full control VIA MY FIREWALL... ;-)

[marjohn56]

 :) It is what it is, and eventually ( not in our lifetimes ) IPv4 will fade away, you just have to do things a different way. Below is a little bit I found on the ISC site, sort of explains the issue better than I can. The thing is its the RFC's that state you are not allowed to do certain things.

Bear in mind that in IPv6 there is no MAC address field or option in the client request packets. The *ONLY* field available is the DUID. Note carefully what it says in the clip above ... while not as well laid out as perhaps it could be, it says that for IPv4 the dhcp-client-identifier option and the hardware address can be used, and for IPv6 the host-identifier option can be used (I'm not that familiar with IPv6 DHCP, I assume host-identifier is the option name used by the ISC code for the DUID). This has been endlessly "discussed" before, but the facts don't change - you cannot use hardware address to identify IPv6 clients. There is a proposal going through the works at the moment to define a hardware address option, but assuming that goes through, it would take some time before all the various clients got updated to use it. Even if clients use DUID-LLT, or even DUID-LL, then the RFCs expressly forbid "looking inside" the option (eg to extract MAC address which may not be for the same interface anyway) - you are only allowed to treat the value as an opaque string which you can match with another string.