Would it be possible and would it be a good idea to add the capability for Clientless Users to be designated via MAC address rather than IP address? That is, in the IPv6 world. where a machine can have many concurrent and past (but not yet invalid) IP addresses but I assume the same MAC address and hence if Clientless Users could be determined based on MAC, all of the ever-changing IPv6 IPs could be considered a single user.
This would require that Sophos change how (clientless) users work so that a single use can be associated with multiple (IPv6) IPs, but without this change I can't see how SFOS will not totally break with IPv6. So many features in SFOS use User to control effects or to aggregate displays and it's slightly painful now to have one-user-per-IP, but IPv4 and DHCP support it fairly straightforwardly. Do people think that IPv6 will be as much of a game-changer -- with it's many ephemeral IP's per client -- as I think it will be?
My ISP doesn't provide it yet but I experimented with a 6in4 tunnel via HE, but what a total mess IPv6 seems to be is in terms of determining anything via IPv6 IP addresses. You either use RA and SLAAC, and also put up with potential ISP prefix changes, which is fine for a non-techie family, or you take total control with DHCPv6, prefix translation (PT), and probably clientless users. (Larger organizations will also likely have zero-trust or other authentication on machines and won't care about clientless users except maybe for printers, etc.)
Right now, I use DHCPv4 to assign fixed addresses to devices, and then assign most of them a user name as clientless users -- i.e. based on the DHCPv4-assigned IP. Those IP addresses are NAT'd, of course, so I can do what I want internally and no ISP changes will be visible to the local networks.
But with IPv6, all kinds of bad things happen. If I don't use DHCPv6, each machine can have an arbitrary number of IPs, many valid at one time, but also no-longer-valid IPs that are hanging around until totally aging off. No way to use clientless users in that scenario. If the ISP changes my prefix, all the addresses on all of my LANs now change.
And of course, if you can't even client less-user a machine, you can't really control it via firewall rules.
So it seems like even a small business or an advanced home user will have to hope that Sophos has Prefix Translation (PT), then turn off SLAAC and use DHCPv6 and basically revert to the one-IP-per-machine world of IPv4. Then we could assign IPv6 IP's to clientless users and be back to a world where we control individual machines.
Am I totally misunderstanding how you might control individual machines (Traffic Shaping, IPS, URL restriction, App control, etc) in an IPv6 world? Sophos doesn't currently offer PD and my ISP doesn't provide IPv6, so this is all a bit moot at this point, but inquiring minds need to know. What do you think?
This thread was automatically locked due to age.