IPv6 equivalent to DHCP Option 82 for geolocating customer MACs to certain ports of Multi-port Layer 2 demarcation devices

Florian Weimer fw at deneb.enyo.de
Sun May 8 12:17:37 CEST 2011


* Mark Smith:

> On Sun, 08 May 2011 11:43:36 +0200
> Florian Weimer <fw at deneb.enyo.de> wrote:
>
>> * Gert Doering:
>> 
>> > SeND alone will validate the IPv6-to-MAC layer mapping, which nicely
>> > solves all attacks against redirecting IPv6 packets to a different
>> > MAC address.  Combine with static MAC addressing at switch ports 
>> > (port-security or static) and you have solved the problem of one
>> > customer stealing another customer's IPv6 packets.
>> 
>> You still need unicast flood protection.

> What is that? 

Some switches periodically broadcast unicast traffic.  This is a
problem for DNS traffic, for instance.  It enables non-blind spoofing
of DNS responses.  Source address validation on your network doesn't
help because the spoofed response could be injected somewhere without
filters.

(Don't count on TLD operators notifying you when they become
customers.  Some of them happily buy mass-market products. 8-/)


More information about the ipv6-ops mailing list