This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Should clientless users be able to be assigned by MAC and not IP? (Looking towards IPv6)

Would it be possible and would it be a good idea to add the capability for Clientless Users to be designated via MAC address rather than IP address? That is, in the IPv6 world. where a machine can have many concurrent and past (but not yet invalid) IP addresses but I assume the same MAC address and hence if Clientless Users could be determined based on MAC, all of the ever-changing IPv6 IPs could be considered a single user.

This would require that Sophos change how (clientless) users work so that a single use can be associated with multiple (IPv6) IPs, but without this change I can't see how SFOS will not totally break with IPv6. So many features in SFOS use User to control effects or to aggregate displays and it's slightly painful now to have one-user-per-IP, but IPv4 and DHCP support it fairly straightforwardly. Do people think that IPv6 will be as much of a game-changer -- with it's many ephemeral IP's per client -- as I think it will be?

My ISP doesn't provide it yet but I experimented with a 6in4 tunnel via HE, but what a total mess IPv6 seems to be is in terms of determining anything via IPv6 IP addresses. You either use RA and SLAAC, and also put up with potential ISP prefix changes, which is fine for a non-techie family, or you take total control with DHCPv6, prefix translation (PT), and probably clientless users. (Larger organizations will also likely have zero-trust or other authentication on machines and won't care about clientless users except maybe for printers, etc.)

Right now, I use DHCPv4 to assign fixed addresses to devices, and then assign most of them a user name as clientless users -- i.e. based on the DHCPv4-assigned IP. Those IP addresses are NAT'd, of course, so I can do what I want internally and no ISP changes will be visible to the local networks.

But with IPv6, all kinds of bad things happen. If I don't use DHCPv6, each machine can have an arbitrary number of IPs, many valid at one time, but also no-longer-valid IPs that are hanging around until totally aging off. No way to use clientless users in that scenario. If the ISP changes my prefix, all the addresses on all of my LANs now change.

And of course, if you can't even client less-user a machine, you can't really control it via firewall rules.

So it seems like even a small business or an advanced home user will have to hope that Sophos has Prefix Translation (PT), then turn off SLAAC and use DHCPv6 and basically revert to the one-IP-per-machine world of IPv4. Then we could assign IPv6 IP's to clientless users and be back to a world where we control individual machines.

Am I totally misunderstanding how you might control individual machines (Traffic Shaping, IPS, URL restriction, App control, etc) in an IPv6 world? Sophos doesn't currently offer PD and my ISP doesn't provide IPv6, so this is all a bit moot at this point, but inquiring minds need to know. What do you think?



This thread was automatically locked due to age.
  • (I would also add that MAC addresses can of course be spoofed. And you have to turn phone random-MAC-address off for your SSID. And there are some devices, like an AppleTV that's a HomeKit controller, that will present a well-known MAC to get their first IP, but then won't hesitate to present made-up MACs to get more IPs if it wants them.)

  • Hi Wayne,

    the issue with your ISP is a real problem for XG users, the  does not care about the IPv6 external address, so you can use what ever you like.

    IPv6 addresses are assigned based on a DUID which has the MAC address usually attached to end of the DUID. The MAC address used in IP4 and IPv6 can be different, W10 assigns different MAC addresses for IP4 and IPv6.

    If you use static addressing (from the DHCP server) and countless users based on their static addresses then create clientless groups you can restrict access to facilities based on clientless groups. Using static addressing and enabling RA, but disabling the RA features so that address assignment is managed by the DHCP server limits the devices to one IPv6 address with is constant.

    In the unmanaged state a device will end up with at least 3 IPv6 addresses, one local and two for internet access.

    Hopefully my post makes sense?

    Ian

    added:- Nat is mandatory with the XG version of IPv6.

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I keep really, really wanting to like IPv6, but this pretty much confirms my understanding. IPv6 was designed by people who evidently used a couple of antiIPv4 slogans as the basis for their design.

    So we basically have to spend hours turning IPv6 back into IPv4, with DHCPv6, single-address-per-device, and even a form of NAT'ing (Prefix Translation) if we expect to have security and stability. Somehow I still want to want IPv6 -- which is a big credit to geek marketing on the Internet, I guess. I feel like Charlie Brown trying to kick the football again. :-(

  • Depends, IPv6 is supposed to have extra security features, but if you want to control user access to the internet you need to control the number of addresses assigned to them.

    Mandatory NAT is a cheap way of getting iPv6 into the XG. Further XG (currently) does not support GeoIP or FQDNs for IPv6, except the Network - DNS settings.

    I have both IP4 and IPv6 on my networks. Some devices do not request an IPv6 address eg APs from a couple of manufacturers. A number of devices make greater use of IPv6 traffic.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Then there are further ideas, if the XG had an IPv6 implementation similar to the UTM, then you could assign a single FQDN to an IP4 and IPv6 address and manage both addresses in the one firewall rule.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • The point is: There are plans to implement full IPV6 stack, but i personally do not see the real benefits beside WAN. If your provide is doing IPv6 and you need DHCPv6-PD - Fine. But who wants to start with IPv6 in the own network. There are "to many administrators" who never will start with this. I found only universities and co doing this as proof as concept but most likely doing both or going back to IPv4 due the amount of administration problems. 

    One partner was talking about this, because they provide services via IPv6 within there backbone but i would say: 99,99% of SFOS (and UTM Customers) use IPv4 internal.

    WAN is another point. This is highly depend on your country and/or ISP. 

    But what i found to be a smoother solution is something like ZTNA to grant access. ZTNA offers the way of using Central as a connector and all clients connect to Central and a resource within the network of the customer connects to Central. Therefore you do not have ingress, only egress.

    __________________________________________________________________________________________________________________