The stupidity of trying to "fix" DHCPv6

Matt Addison matt.addison at lists.evilgeni.us
Tue Jun 14 20:55:29 UTC 2011


On Tue, Jun 14, 2011 at 12:41, Ray Soucy <rps at maine.edu> wrote:
>
> The energy in this thread should be focused on switch vendors to
> actually implement L2 security features for IPv6, which is usually an
> easy upgrade; rather than calling for all host implementations of IPv6
> to work differently; which will take a decade to implement and be a
> band-aid at best; not a good long-term design for the protocol.

There was a thread on this subject over on ipv6-ops (Hello to the list
and RA guard evasion technique) recently which outlined some of the
problems currently facing vendors and implementing those 'easy
upgrade' L2 security features. Due to the current state of host stacks
with regards to fragment reassembly it's almost impossible to
implement easily on a layer 2 device without exposing yourself to
other DoS possibilities.

There're also some I-Ds which cover the issues:
http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-00.txt
http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-00.txt

~Matt




More information about the NANOG mailing list