IPv6 Security [Was: Re: misunderstanding scale]
Luke S. Crawford
lsc at prgmr.com
Wed Mar 26 17:55:03 UTC 2014
On 03/24/2014 06:18 PM, Owen DeLong wrote:
> DHCPv6 is no less robust in my experience than DHCPv4.
> ARP and ND have mostly equivalent issues.
This depends a lot on what you mean by 'robust'
Now, I have dealt with NAT, and I see IPv6 as a technology with the
potential to make my life less unpleasant. I really want IPv6 to
However, DHCPv6 isn't anywhere near as useful for me, as someone who
normally deals with IPs that don't change, as DHCPv4 is.
With DHCPv4, my customers all get an address based on their mac that
doesn't change if their box is re-installed. I configure this on the
DHCP server, and the customer can run whatever dhcp client they like on
whatever OS they like and they get the same IP every time.
With DHCPv6 there is a time-based identifier that is added to the mac
that makes it impossible, as far as I can tell, to give the customer a
consistent IP across OS wipes without doing significant client
There are many ways to skin this cat; stateless autoconfig looks like it
mostly works, but privacy extensions seem to be the default in many
places; outgoing IPv6 from those random addresses will trip my BCP38
filters. That, and reading the standard, it sure doesn't sound like
consistency was a goal, even though it seems fairly consistent
experimentally. there's a lot of "generally" and "may" in the text
about what it adds to the mac in order to get the local identifier.
It might make sense to just give everyone their own vlan and their own
/64; that would, of course, bring its own problems and complexities
(namely that I've gotta have the capability to deal with more customers
than I can have native vlans - not impossible to get around, but
significant added complexity.)
I suppose I can also just keep DHCPv4 around, and if folks want IPv6,
well, they have to wire down the address themselves. That's how I'm
doing it now.
More information about the NANOG