preventing malicious DHCPv6 stuff

TJ trejrco at
Tue Sep 16 14:56:55 CEST 2008

>On Sep 14, 2008, at 3:14 AM, Leen Besselink wrote:
>> So, I suggest adding these on the list first:
>> - RA, a per port setting (or for a very simple switch, just the
>> uplink-port ?)
>> - Type 0, Routing header (per port or possible all ports on a very
>> simple switch)
>> Any other idea's ?
>Drop incoming packets from edge ports with a source port of udp/547 to
>prevent rouge dhcpv6 servers.

And possibly "keep an eye" open for ff02::1:2 and ff05::1:3 traffic in
unexpected places ...

(I am hoping vendors produce (in Cisco-speak) "DHCPv6 Guard", similar in
function to "DHCP Guard" for IPv4 ... would be a nice compliment to the "RA
Guard" functionality they are working on.  Anyone know if Cisco has that on
their list ... ?)


More information about the ipv6-ops mailing list