DHCPv6 authentication

Templin, Fred L Fred.L.Templin at boeing.com
Thu Aug 21 03:46:18 UTC 2014


Hi Jared,

I am assuming 802.1x (or equivalent) security at L2, but the "link" between
my DHCPv6 client and server is actually a tunnel that may travel over many
network layer hops. So, it is possible for legitimate client A to have its
leases canceled by rogue client B unless DHCPv6 auth or something similar
is used. Yes, rogue client B would also have to be authenticated to connect
to the network the same as legitimate client A, but it could be an "insider
attack" (e.g., where B is a disgruntled employee trying to get back at a
corporate adversary A).

Thanks - Fred
fred.l.templin at boeing.com


> -----Original Message-----
> From: Jared Mauch [mailto:jared at puck.nether.net]
> Sent: Wednesday, August 20, 2014 5:14 PM
> To: Templin, Fred L
> Cc: nanog list
> Subject: Re: DHCPv6 authentication
> 
> If you are already connected to the network you are going to be deemed as authenticated. I'm unaware
> of anyone doing dhcp authentication.
> 
> Jared Mauch
> 
> > On Aug 20, 2014, at 6:45 PM, "Templin, Fred L" <Fred.L.Templin at boeing.com> wrote:
> >
> > Hi - does anyone know if DHCPv6 authentication is commonly used in
> > operational networks? If so, what has been the experience in terms
> > of DHCPv6 servers being able to discern legitimate clients from
> > rogue clients?
> >
> > Thanks - Fred
> > fred.l.templin at boeing.com


More information about the NANOG mailing list