IPv6 Security [Was: Re: misunderstanding scale]
mohacsi at niif.hu
Wed Mar 26 18:24:33 UTC 2014
On Wed, 26 Mar 2014, Luke S. Crawford wrote:
> On 03/24/2014 06:18 PM, Owen DeLong wrote:
>> DHCPv6 is no less robust in my experience than DHCPv4.
>> ARP and ND have mostly equivalent issues.
> This depends a lot on what you mean by 'robust'
> Now, I have dealt with NAT, and I see IPv6 as a technology with the potential
> to make my life less unpleasant. I really want IPv6 to succeed.
> However, DHCPv6 isn't anywhere near as useful for me, as someone who normally
> deals with IPs that don't change, as DHCPv4 is.
> With DHCPv4, my customers all get an address based on their mac that doesn't
> change if their box is re-installed. I configure this on the DHCP server,
> and the customer can run whatever dhcp client they like on whatever OS they
> like and they get the same IP every time.
> With DHCPv6 there is a time-based identifier that is added to the mac that
> makes it impossible, as far as I can tell, to give the customer a consistent
> IP across OS wipes without doing significant client configuration.
This is stupidity of the DHCPv6 client/OS implementation. They should use
DUID type 3 (DUID-LL) by default, not DUID type 1 (DUID-LLT). This can be
circumvented by setting the default to type 3, but...
More information about the NANOG