[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Eric Vyncke (evyncke) evyncke at cisco.com
Mon Sep 3 11:51:59 CEST 2012

> > FYI - DHCPv6 Guard is available in IOS 15.2(4)S on the 7600s today.
> Granted it's not pervasive, but it does exist and will come to more
> platforms.
> <politically_incorrect>
> Does it actually work, or is it more like the RA-Guard implementation?
> </politically_incorrect>

Nice HTML tag ;-)

It is also available on 15.0(2)SE BTW (Cat 3560-x and others).

DHCP-guard has two functions (please note in mind that even if I work for Cisco and talk to engineers, I did not develop the feature :-) so it is just an educated guess):
- learn the 'official' bindings, and, it this case it does reassembly by listening to the DHCP mcast addresses
- block all rogue DHCP packets (pretty much like RA guard) and indeed the wirespeed stateless ACL can be evaded by fragmenting the rogue DHCP packet in such a way that UDP header is in the second fragment. 

The obvious counter-measure for this issue is simply to drop all fragments sent to a link-local address... Could also use 'undetermined-transport' on switches supporting it

Hope this helps


More information about the Ipv6hackers mailing list