[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Owen DeLong
owend at he.net
Wed Sep 28 07:38:28 CEST 2011
On Sep 27, 2011, at 4:46 PM, Douglas Otis wrote:
> On 9/27/11 12:36 PM, Fernando Gont wrote:
>
> Fernando,
>> That depends on what you mean by "simplify", or *what* (specifically)
>> you want to simplify. e.g., DHCPv6 makes logging trivial. However,
>> SLAAC+Privacy Extensions makes it rather difficult (at least with
>> publicly available tools).
>
> Cramming a growing list of options into DHCP packets has always stifled innovation. Security obtained by injecting options into DHCP then picked up via snooping is not without issues. This approach is neither ideal or the simpler option. Especially when DHCP can no longer be relied upon as being relied upon. Some systems may ignore RA recommendations for stateful Address configuration, especial for devices that do not support DHCPv6.
>
There are already systems in IPv4 that ignore systems that are using addresses they weren't issued by the DHCP server. I see no reason such a system could not be put in place for IPv6 as well.
Owen
More information about the Ipv6hackers
mailing list