First allow me to say I am only modestly experienced with IPv6. Be gentle.
We (my company) currently whitelists inbound client access based on IPv4 addresses/subnets before they even talk to our remote access/VPN server. But for our mobile clients, this means whitelisting entire ISP lease ranges and with our territories expanding, this practice is becoming increasingly less beneficial.
I am investigating the feasibility of transitioning our mobile clients to IPv6 and utilizing EUI-64/Interface ID as a possible whitelisting method. Since the EUI-64 is based on the hardware MAC address of the mobile broadband modem, I could, in theory, whitelist only the MACs we own - the attraction from a security perspective should be obvious.
However, it appears to me I have at least two hurdles to get over:
- EUI-64 based Interface ID doesn't look like it is the norm from what I can tell. Every leased IPv6 address I have looked at doesn't look like it is using EUI-64. I am not sure a mobile client can insist/rely upon a lease that utilizes the EUI-64 based Interface ID.
- Neither our current firewall (Cisco) nor any I have investigated appear to support partial/wildcard IPv6 matching. Not a show stopper. I will build my own router if I have to; providing item 1 doesn't make the endeavor moot.
My Questions:
- Can mobile clients (Android, Windows) be configured such that they can rely upon receiving an IPv6 lease utilizing the EUI-64 based Interface ID or is this solely controlled by the DHCPv6 server?
- Can a static IPv6 somehow be used for this purpose (tunneling?).
- Is anyone aware of any vendors commercial hardware that allows IPv6 filtering (masking) upon just the Interface ID of an IPv6 address?
- Does anyone have any experience with this that can provide insights?
Please only reply if on topic: IPv6 Interface ID whitelisting. I am not interested in alternative strategies at this time, thank you.