[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Fernando Gont
fgont at si6networks.com
Tue Sep 27 21:36:39 CEST 2011
On 09/27/2011 04:09 PM, Douglas Otis wrote:
>> Yeas ago, you couldn't rely *only* on SLAAC, since it didn't yet
>> support the RDNSS option (which is vital in most network deployments)
>> -- even with RDNSS now *specified*, it is still not widely deployed,
>> and hence you cannot rely on SLAAC alone.
>>
>> OTOH, you cannot rely on DHCPv6 alone if you cannot get a default
>> route with it.
>
> DHCP is not needed when there is a desire to simplify the network
> architecture.
That depends on what you mean by "simplify", or *what* (specifically)
you want to simplify. e.g., DHCPv6 makes logging trivial. However,
SLAAC+Privacy Extensions makes it rather difficult (at least with
publicly available tools).
> RFC5006 introduced RDNSS in 2007, and was upgraded to
> standards track in 2010 where DNS Search Lists (DNSSL) option was also
> included. It should also be noted a large IPv6 provider's CPE supported
> the RDNSS option for years with their 6RD deployment.
Last time I checked (1-2 years ago), neither Windows, nor any of the
open source OSes I was using supported RDNSS by default.
> Real LAN based security remains possible with SeND,
... if only one could deploy it for the general case.
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers
mailing list