[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Tomas Podermanski tpoder at cis.vutbr.cz
Tue Sep 27 15:48:10 CEST 2011


Hi,

On 9/27/11 10:31 AM, Enno Rey wrote:
> Hi,
>
> On Tue, Sep 27, 2011 at 04:33:27AM +0200, fred wrote:
>> I would then say that it is a bit more complicated to fool NDP than ARP
>> because of its more sophisticated FSM, NUD, and so on...
>>
>> So why NDP could be worse than ARP ? Because it can advertise a default
>> router with a RA? If the answer is yes maybe there is a way (which I would
>> not recommend anyway) to stop the router from sending RA and configure the
>> end node from DHCPv6 or manually. Just like IPv4 would do.
> nope. as DHCPv6 does (currently, and the respective IETF draft was discarded after v01) _not_ allow the distribution of a default router.

History of default route in DHCPv6 is a little bit complicated. There
was several attempts to put a default route option into DHCPv6.

draft-droms-dhc-dhcpv6-default-router-00, Expired in 2009 after
discussion in dhcpwg
(http://www.ietf.org/mail-archive/web/dhcwg/current/msg09715.html)
draft-dec-dhcpv6-route-option-05, Expired in 2011

and now is IETF working on draft-ietf-mif-dhcpv6-route-option-03 and it
seem that this one might be accepted (but who knows). 

Even if that the draft would be proposed as a standard we will have to
wait for several years while vendors accept it. So today we can not
count on it and live with both SLAAC and DHCPv6.

> so a node just configured by means of DHCPv6 only will not be able to communicate outside its local-link space. [which can be a desired state, security-wise, but will probably seldom be desirable functionality-wise ;-)]

Exactly - it is reality of reality these days. What worse DHCPv6 is not
supported by all platforms (Win XP, older version MAC OS, some Linux
distribution) so you have to run SLAAC for these platforms as well to
provide IPv6 connectivity to them.

>
> as for manual config, not sure if anybody here regards this as a viable way in the IPv6 world...

It might be viable way for servers but not for 6000 users using own
equipment and differed operating systems. 


thanks

    Tomas




More information about the Ipv6hackers mailing list