preventing malicious DHCPv6 stuff

TJ trejrco at gmail.com
Tue Sep 16 14:56:55 CEST 2008


>
>On Sep 14, 2008, at 3:14 AM, Leen Besselink wrote:
>>
>> So, I suggest adding these on the list first:
>>
>> - RA, a per port setting (or for a very simple switch, just the
>> uplink-port ?)
>> - Type 0, Routing header (per port or possible all ports on a very
>> simple switch)
>>
>> Any other idea's ?
>
>Drop incoming packets from edge ports with a source port of udp/547 to
>prevent rouge dhcpv6 servers.
>
>Dale

And possibly "keep an eye" open for ff02::1:2 and ff05::1:3 traffic in
unexpected places ...

(I am hoping vendors produce (in Cisco-speak) "DHCPv6 Guard", similar in
function to "DHCP Guard" for IPv4 ... would be a nice compliment to the "RA
Guard" functionality they are working on.  Anyone know if Cisco has that on
their list ... ?)


/TJ




More information about the ipv6-ops mailing list