DHCPv6 authentication

Jared Mauch jared at puck.Nether.net
Thu Aug 21 11:47:51 UTC 2014 

	I similarly was counting on 802.1x + RA-Guard and other
techniques.

	I can easier do an insider attack by gaining console or connecting
to a trusted wire as most places I've seen don't do 802.1x on wired
but do on wireless.

	I'm not going to enumerate the universe for the sake of 6man/dhc
or v6ops, and this seems like a futile effort.

	- Jared (who sometimes runs a network)

On Thu, Aug 21, 2014 at 03:46:18AM +0000, Templin, Fred L wrote:
> Hi Jared,
> 
> I am assuming 802.1x (or equivalent) security at L2, but the "link" between
> my DHCPv6 client and server is actually a tunnel that may travel over many
> network layer hops. So, it is possible for legitimate client A to have its
> leases canceled by rogue client B unless DHCPv6 auth or something similar
> is used. Yes, rogue client B would also have to be authenticated to connect
> to the network the same as legitimate client A, but it could be an "insider
> attack" (e.g., where B is a disgruntled employee trying to get back at a
> corporate adversary A).
> 
> Thanks - Fred
> fred.l.templin at boeing.com
> 
> 
> > -----Original Message-----
> > From: Jared Mauch [mailto:jared at puck.nether.net]
> > Sent: Wednesday, August 20, 2014 5:14 PM
> > To: Templin, Fred L
> > Cc: nanog list
> > Subject: Re: DHCPv6 authentication
> > 
> > If you are already connected to the network you are going to be deemed as authenticated. I'm unaware
> > of anyone doing dhcp authentication.
> > 
> > Jared Mauch
> > 
> > > On Aug 20, 2014, at 6:45 PM, "Templin, Fred L" <Fred.L.Templin at boeing.com> wrote:
> > >
> > > Hi - does anyone know if DHCPv6 authentication is commonly used in
> > > operational networks? If so, what has been the experience in terms
> > > of DHCPv6 servers being able to discern legitimate clients from
> > > rogue clients?
> > >
> > > Thanks - Fred
> > > fred.l.templin at boeing.com

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the NANOG mailing list