IPv6 Security [Was: Re: misunderstanding scale]

Wed Mar 26 17:55:03 UTC 2014

On 03/24/2014 06:18 PM, Owen DeLong wrote:
> DHCPv6 is no less robust in my experience than DHCPv4.
>
> ARP and ND have mostly equivalent issues.

This depends a lot on what you mean by 'robust'

Now, I have dealt with NAT, and I see IPv6 as a technology with the 
potential to make my life less unpleasant.   I really want IPv6 to 
succeed.

However, DHCPv6 isn't anywhere near as useful for me, as someone who 
normally deals with IPs that don't change, as DHCPv4 is.

With DHCPv4, my customers all get an address based on their mac that 
doesn't change if their box is re-installed.  I configure this on the 
DHCP server, and the customer can run whatever dhcp client they like on 
whatever OS they like and they get the same IP every time.

With DHCPv6 there is a time-based identifier that is added to the mac 
that makes it impossible, as far as I can tell, to give the customer a 
consistent IP across OS wipes without doing significant client 
configuration.

There are many ways to skin this cat; stateless autoconfig looks like it 
mostly works, but privacy extensions seem to be the default in many 
places; outgoing IPv6 from those random addresses will trip my BCP38 
filters.   That, and reading the standard, it sure doesn't sound like 
consistency was a goal, even though it seems fairly consistent 
experimentally.  there's a lot of "generally" and "may"  in the text 
about what it adds to the mac in order to get the local identifier.

It might make sense to just give everyone their own vlan and their own 
/64;  that would, of course, bring its own problems and complexities 
(namely that I've gotta have the capability to deal with more customers 
than I can have native vlans -  not impossible to get around, but 
significant added complexity.)

I suppose I can also just keep DHCPv4 around, and if folks want IPv6, 
well, they have to wire down the address themselves.   That's how I'm 
doing it now.