IPv6 equivalent to DHCP Option 82 for geolocating customer MACs to certain ports of Multi-port Layer 2 demarcation devices
fw at deneb.enyo.de
Sun May 8 11:14:13 CEST 2011
* Gert Doering:
> On Sun, May 08, 2011 at 10:39:27AM +0200, Florian Weimer wrote:
>> * Mikael Abrahamsson:
>> > It depends on what you mean by "secure". SLAAC is inherently "host can
>> > take whatever address it want as long as it's not already in use".
>> I'm mostly interested in IPv6 over Ethernet. It seems to me that with
>> SLAAC, any host in the same broadcast domain can tell the Ethernet
>> layer to redirect any IPv6 traffic to it. I would call this
> Just like IPv4 over Ethernet, indeed.
Sure, but there's technology to deal with that (DHCP snooping, private
VLANs, unicast flood protection; you need all three of them, and they
are somewhat vendor-specific).
> Nothing particularily related to *SLAAC* - a malicous host can do
> this on any address allocation technology, as long as the network
> components don't validate what hosts are doing.
I just wanted to know if typical network components can be configured
to validate IPv6 addresses, in the way they can validate IPv4
addresses (particularly in terms of configuration overhead).
> IPv6 has SeND to tackle ND-spoofing attacks, but that has not been
> widely implemented yet.
SeND does not actually solve anything at all when running on top of
Ethernet, which is the most important case to deal with. A real
solution requires cooperation between IEEE and the IETF, which is not
going to happen. Like for IPv4, we need to wait for vendor-specific
solutions to appear.
More information about the ipv6-ops