Session Abstract

In the dual-stack environment, enterprises that desire the ability to log network traffics (but not contents) in the same manner as the call-logging of the telephone industry and be traceable back to the individual conducting the transactions will critically need an authentication system that can bind the user account to all of the IP addresses, both IPv4 and IPv6, on the machine the user log-in, and release the bindings when the user log-out. In many countries, particularly in Thailand, IT laws mandate exactly such capability. Aggravating users by requiring them to do multiple log-in, one per address, is out of the question.

In this report, we present the design and implementation of a scalable, dual-stack oriented, consolidated authentication system for large-scale campus network.

The Kasetsart University network---The NontriNet (pronounce known-see-net)---is used as the testbed, achieving 1.3+ million authentication sessions per month for 63,000+ unique users. Our traffic log shows that 71% of our machines is currently IPv6-attached (65% as dual-address systems, the other 6% as pure-IPv6). Further statistics collected since