{SPAM?} Re: IPv6 Deployment for the LAN

David W. Hankins David_Hankins at isc.org
Thu Oct 22 18:46:16 CDT 2009


On Thu, Oct 22, 2009 at 03:57:40PM -0400, Ray Soucy wrote:
> Really.  How do we deal with rouge DHCP on the wireless LAN, obviously
> this is such a complex issue that we couldn't possibly have a solution
> that could be applied to RA.

There are some wireless equipment that claim to have a setting that
forces all packets through the wireless bridge (where all traffic is
between clients and bridge, and never client to client), and so one
can filter DHCPv6 and maybe RA, but I am kind of skeptical about how
much of this is elective and dependent upon client implementation...

In both cases there may still be some wireless adapters that receive
bogus packets directly from attackers.

And then you bring ND into the question and wonder why you bothered
with either RA or DHCP filtering.


DHCPv6 (and DHCPv4 with RFC 3118) has per-message cryptographic
authentication.

The problem however has been the key distribution model.  Here it all
falls down, and leads to poor deployment.

But with DHCPv*, we have a hope that we can secure it if we can solve
that last problem (and at least I think we can).

So if you accept that as an outcome, one must ponder the question:

How long will people accept that a secured DHCPv6 session must rely,
in order to function to expectations, upon the unsecurable RA and/or
questionably secure SEND?

-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091022/d1cec517/attachment.bin>


More information about the NANOG mailing list