Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Replies 5 replies
  • Subscribers 39 subscribers
  • Views 93 views
  • Users 0 members are here
Options
Suggested

Are there plans for a Clientless-User-like capability with IPv6?

Wayne Folta

Specifically, I think a lot of us in smaller installations use Clientless Users for most or all devices, so they have names. And this works well with various Sophos displays which allow you to sort/aggregate by User.

But this takes advantage of the IPv4 world where every machine has one MAC address, which gets one IP address (via DHCP4), which corresponds to one Clientless User name. In the IPv6 world, I see 4-5 IPv6 addresses per device so this mechanism for using Clientless User name won't work without some kind of enhancement.

I'm guessing that larger installations will have more powerful Authentication mechanisms/infrastructurers that might tie many IPv6 to a single user. And for smaller installations I'm thinking that perhaps Clientless User could switch to being based on MAC addresses or DUID instead of IP -- though maybe that breaks for upstream routers.

Is this making sense? Are there any plans for something to handle this? This is one reason I'm really not eager to get IPv6 -- which my current ISP doesn't yet provide anyhow -- because it feels like I'll never quite have a handle on a "user" (machine) anymore. In reality, all IoT devices (printers, AppleTVs, phones, tablets, etc) are logically a single user, and even devices that can directly support multiple users (laptops and desktops being the main examples) are usually a single user almost all of the time, and that's the way I think I want to monitor things logically.

More subnets -- which IPv6 supports -- can help, but in my use case everything is wireless, so a subnet/VLAN most straightforwardly corresponds to an SSID, and SSIDs are extremely limited. Thoughts?

Parents
  • 0

    If you wish to do address management in the current version of XG v21 GA do not use IPv6PD.

    Most of my IoT devices do not request an IPv6 address even though they are assigned on DHCP regardless of cable or wifi connections.

    Ian

    XG115W - v20.0.3 MR-3 - on holiday

    XGS118 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0

    If you wish to do address management in the current version of XG v21 GA do not use IPv6PD.

    Most of my IoT devices do not request an IPv6 address even though they are assigned on DHCP regardless of cable or wifi connections.

    Ian

    XG115W - v20.0.3 MR-3 - on holiday

    XGS118 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to rfcat_vk

    There's a concept called Network Prefix Translation (NPT) which I think is also known as NAT66 [EDIT: This is WRONG, NPTv6 is NOT the same as NAT66] which I think might have bearing on this. The idea is that you specify/lease static IPv6's inside your network, and there's a 1:1 "NAT" step at the boundary that substitutes  your delegated prefix for the internal prefix on outgoing, and the reverse on the incoming.

    Maybe DHCP6 -- if well-implemented and PD-aware -- can directly do this, though DHCP does have timeouts while NPT would not.

    I mean, I like the idea of security IPv6's that rotate on a regular basis to help avoid tracking/profiling. It's just that this makes it hard to figure out that my laptop or the laser printer is being blocked going to a suspicious website.

  • 0 in reply to Wayne Folta

    The v21 version does not require a NAT rule for IPv6, so not sure how that would work?

    Also make address management difficult and reduces your security management ability.

    Ian

    XG115W - v20.0.3 MR-3 - on holiday

    XGS118 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    "NAT66" and NPT aren't real NAT, and wouldn't use the current NAT mechanism. They are simply substituting the prefix. So it would be an additional checkbox associated with PD where you could specify that you want to accept PD (which your ISP will probably require) but the delegated prefix will be replaced (on the internal networks) by a fixed prefix that you specify. (And the inverse on output.) So as far as internal machines are concerned -- and any recording/mapping/rules are concerned -- their prefix never changes. But the ISP and the outside world might see several different prefixes in a day.

    It's NAT-like in some sense, but always 1:1, never masquerading, etc: none of the problems that NAT under IPv4 has.

    EDIT: NAT66 is not the same as NPTv6. NAT66, like NAT44, can change both the network and the machine part of the address. NPTv6 can only change the network prefix. I'm talking NPTv6, which is stateless, preserves host distinctions 1:1, etc.

Unfiltered HTML