[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Fernando Gont fgont at si6networks.com
Tue Sep 27 16:17:38 CEST 2011

Hi, Enno,

On 09/27/2011 05:31 AM, Enno Rey wrote:
> nope. as DHCPv6 does (currently, and the respective IETF draft was
> discarded after v01) _not_ allow the distribution of a default
> router. so a node just configured by means of DHCPv6 only will not be
> able to communicate outside its local-link space. [which can be a
> desired state, security-wise, but will probably seldom be desirable
> functionality-wise ;-)]

I don't recall of the top of my head what was the rationale for
producing the standards this way, but at least in principle it looks
rather dumb.

Yeas ago, you couldn't rely *only* on SLAAC, since it didn't yet support
the RDNSS option (which is vital in most network deployments) -- even
with RDNSS now *specified*, it is still not widely deployed, and hence
you cannot rely on SLAAC alone.

OTOH, you cannot rely on DHCPv6 alone if you cannot get a default route
with it.

This basically means you must support both, even if you only need very
little of one of them.

Not very much following the KISS principle...

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list