IPv6 equivalent to DHCP Option 82 for geolocating customer MACs to certain ports of Multi-port Layer 2 demarcation devices

Gert Doering gert at space.net
Sun May 8 11:57:52 CEST 2011


On Sun, May 08, 2011 at 11:43:36AM +0200, Florian Weimer wrote:
> * Gert Doering:
> > SeND alone will validate the IPv6-to-MAC layer mapping, which nicely
> > solves all attacks against redirecting IPv6 packets to a different
> > MAC address.  Combine with static MAC addressing at switch ports 
> > (port-security or static) and you have solved the problem of one
> > customer stealing another customer's IPv6 packets.
> You still need unicast flood protection.

What's the attack that would be prevented by that?  ND cache overflowing?

> Does this type of static address configuration really work in
> practice?  I would expect to cause it trouble with mobile devices and
> virtualization.

Well, it depends on what type of devices you have there, and what the
attacks are that you want to defend against.

Gert Doering
        -- NetMaster
did you enable IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20110508/a17bf1ab/attachment.bin 

More information about the ipv6-ops mailing list