IPv6 Security [Was: Re: misunderstanding scale]

Mohacsi Janos mohacsi at niif.hu
Wed Mar 26 18:24:33 UTC 2014

On Wed, 26 Mar 2014, Luke S. Crawford wrote:

> On 03/24/2014 06:18 PM, Owen DeLong wrote:
>> DHCPv6 is no less robust in my experience than DHCPv4.
>> ARP and ND have mostly equivalent issues.
> This depends a lot on what you mean by 'robust'
> Now, I have dealt with NAT, and I see IPv6 as a technology with the potential 
> to make my life less unpleasant.   I really want IPv6 to succeed.
> However, DHCPv6 isn't anywhere near as useful for me, as someone who normally 
> deals with IPs that don't change, as DHCPv4 is.
> With DHCPv4, my customers all get an address based on their mac that doesn't 
> change if their box is re-installed.  I configure this on the DHCP server, 
> and the customer can run whatever dhcp client they like on whatever OS they 
> like and they get the same IP every time.
> With DHCPv6 there is a time-based identifier that is added to the mac that 
> makes it impossible, as far as I can tell, to give the customer a consistent 
> IP across OS wipes without doing significant client configuration.

This is stupidity of the DHCPv6 client/OS implementation. They should use 
DUID type 3 (DUID-LL) by default, not DUID type 1 (DUID-LLT). This can be 
circumvented by setting the default to type 3, but...
 			Janos Mohacsi

More information about the NANOG mailing list