[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Jim Small jim.small at cdw.com
Wed Sep 28 01:36:06 CEST 2011


> >>  Yeas ago, you couldn't rely *only* on SLAAC, since it didn't yet
> >>  support the RDNSS option (which is vital in most network deployments)
> >>  -- even with RDNSS now *specified*, it is still not widely deployed,
> >>  and hence you cannot rely on SLAAC alone.
> >>
> >>  OTOH, you cannot rely on DHCPv6 alone if you cannot get a default
> >>  route with it.
> >
> > DHCP is not needed when there is a desire to simplify the network
> > architecture.
> 
> That depends on what you mean by "simplify", or *what* (specifically)
> you want to simplify. e.g., DHCPv6 makes logging trivial. However,
> SLAAC+Privacy Extensions makes it rather difficult (at least with
> publicly available tools).
> 
> > RFC5006 introduced RDNSS in 2007, and was upgraded to
> > standards track in 2010 where DNS Search Lists (DNSSL) option was also
> > included.  It should also be noted a large IPv6 provider's CPE supported
> > the RDNSS option for years with their 6RD deployment.
> 
> Last time I checked (1-2 years ago), neither Windows, nor any of the
> open source OSes I was using supported RDNSS by default.
 
Here's a good list of RDNSS and DHCPv6 support for most O/S:
http://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_systems

Notably though OS X 10.7 supports it, along with some versions of UNIX/Linux.  Crossing my fingers for Windows 8...

> > Real LAN based security remains possible with SeND,
> 
> ... if only one could deploy it for the general case.

Unfortunately I have no good news here.  AFAIK it's not even in the stock BSD/Linux kernels and there is no option I know of for Apple/Microsoft O/S nor plans/interest from those vendors in supporting it.

--Jim




More information about the Ipv6hackers mailing list