Happy Friday readers! Just a quick heads-up that next week I’ll be presenting at the 2014 World IPv6 Congress in Paris, France. As the name suggests, the Congress brings together members for the global IPv6 adoption community to share knowledge and discuss ongoing efforts to drive IPv6 deployment. The theme this year is “IP on Everything”, a tongue-in-cheek reference to the Internet of Things (or Internet of Everything if you prefer). Other areas of emphasis will include “large scale deployments and measurements” as well as “SDN, transition strategies, training issues, and enterprise deployment” — the last subject of particular interest given Infoblox’s role in providing DDI technology to many enterprise customers.
My presentation this year is a follow-up to the DHCPv6 fingerprinting topic I covered at last year’s RMv6TF Summit in Denver, Colorado. If you’re new to the subject, DHCPv6 (along with DHCP) fingerprinting is a lightweight method for identifying mobile devices; e.g., tablets and smart phones, laptops, etc on the network. The method is ingeniously simple: a DHCPv6 SOLICIT packet (or DHCP DISCOVER packet in v4) contains fields that are distinct by device that can allow for the typing of both it and the OS. In IPv4 DHCP, the Parameter Request List (Option 55) is used. The order of the parameters and option codes listed under Option 55 form a unique fingerprint. By comparison, in DHCPv6, Option 55 is not implemented, so the collection of all options can be used instead for reliable device and OS typing.
The identification of the device and OS allows the DHCP(v6) server to deny the assignment of an IP address to undesirable devices (e.g., Xboxes or rogue WAPs) as well as track the number of specific device and OS types connecting to the network over time. This can be incredibly useful in formulating or improving an enterprise BYOD (or “Bring Your Own Device”) policy.
One of the most compelling things about DHCP and DHCPv6 fingerprinting is that the actionable data it relies on are essentially “free.” Since the DHCP server is passively receiving address requests from a client that contain the information required for device identification, there is no additional transactional overhead. Compared to, say, nmap host OS detection (which requires a CPU intensive probing of the remote client), DHCP fingerprinting is an incredibly efficient method for basic system identification and inventory.
From the NIOS 6.9 Admin Guide: “On an Infoblox appliance, DHCP fingerprint detection is enabled by default for all new installations. You can disable this feature at the Grid and member levels…As illustrated in [Figure 1], the appliance automatically matches option 55 and then option 60 in DHCP REQUEST messages against standard and custom DHCP fingerprints in the database. Once the appliance finds a match, it either grants or denies a lease to the requesting client based on the DHCP fingerprint filters that you apply to the DHCP range.”
DHCPv6 fingerprinting faces particular challenges that are at least partly due to scant deployment of DHCPv6, the biggest of which is the relative lack of known DHCPv6 fingerprints. Some progress has been made gathering additional fingerprints as well as formalizing methods of collection. This improves feature parity with IPv4 DHCP fingerprinting. The publishing of DHCPv6 fingerprints publicly as they’re collected enables their use in further research and production deployment. Eventually, deployments of DHCPv6 could dynamically learn new fingerprints based on the correlation of the device with IPv4 fingerprints or perhaps other methods of OS detection.
Such efforts in DHCP fingerprinting underscore the general need for parity between IPv4 and IPv6 features if IPv6 is going to reach a critical mass of deployment in production enterprise environments sooner rather than later. I expect that this topic will get some much-needed coverage at the 2014 v6 Congress. So if you’re in Paris next week, please consider attending. Even if the IPv6 enterprise isn’t your main interest, you won’t want to miss the tons of other great presentations from folks that have been working on engineering and deploying IPv6 from the very beginning. Hope to see you there!
