IPv6 delivery model to end customers

Nathan Ward nanog at daork.net
Sat Feb 7 02:28:31 CST 2009


On 7/02/2009, at 8:45 PM, Mikael Abrahamsson wrote:

> So, what is the security problem with IPv6 in an IPv4 network? Well,  
> imagine an IPv4 network where security is done via ARP inspection,  
> DHCP snooping and L3 ACLs. Now, insert rogue customer who announces  
> itself via RA/DHCPv6 and says it's also DNS. Vista machines will get  
> itself an IPv6 address via RA, ask for DNS-server via DHCPv6, so if  
> the rogue customer can do some NAT-PT like functionality, they are  
> now man in the middle for all the IPv4 traffic (because between the  
> customers it's IPv6 and the L2 device doesn't know anything about  
> that). I don't know if this has actually been done, but I see no  
> theoretical problem with it, if someone can come up with something,  
> please do tell.


It is worth noting that this problem does not require you to start  
sending RA messages - this is a problem as soon as one customer is  
listening to RA messages. The problem may very well exist right now.

--
Nathan Ward





More information about the NANOG mailing list