IPv6 equivalent to DHCP Option 82 for geolocating customer MACs to certain ports of Multi-port Layer 2 demarcation devices

Florian Weimer fw at deneb.enyo.de
Sun May 8 11:14:13 CEST 2011


* Gert Doering:

> Hi,
>
> On Sun, May 08, 2011 at 10:39:27AM +0200, Florian Weimer wrote:
>> * Mikael Abrahamsson:
>> 
>> > It depends on what you mean by "secure". SLAAC is inherently "host can
>> > take whatever address it want as long as it's not already in use".
>> 
>> I'm mostly interested in IPv6 over Ethernet.  It seems to me that with
>> SLAAC, any host in the same broadcast domain can tell the Ethernet
>> layer to redirect any IPv6 traffic to it.  I would call this
>> "insecure".
>
> Just like IPv4 over Ethernet, indeed.

Sure, but there's technology to deal with that (DHCP snooping, private
VLANs, unicast flood protection; you need all three of them, and they
are somewhat vendor-specific).

> Nothing particularily related to *SLAAC* - a malicous host can do
> this on any address allocation technology, as long as the network
> components don't validate what hosts are doing.

I just wanted to know if typical network components can be configured
to validate IPv6 addresses, in the way they can validate IPv4
addresses (particularly in terms of configuration overhead).

> IPv6 has SeND to tackle ND-spoofing attacks, but that has not been 
> widely implemented yet.

SeND does not actually solve anything at all when running on top of
Ethernet, which is the most important case to deal with.  A real
solution requires cooperation between IEEE and the IETF, which is not
going to happen.  Like for IPv4, we need to wait for vendor-specific
solutions to appear.



More information about the ipv6-ops mailing list