IPv6 equivalent to DHCP Option 82 for geolocating customer MACs to certain ports of Multi-port Layer 2 demarcation devices
Martin Millnert
martin at millnert.se
Mon May 9 07:44:09 CEST 2011
On Sun, 2011-05-08 at 10:39 +0200, Florian Weimer wrote:
> * Mikael Abrahamsson:
>
> > It depends on what you mean by "secure". SLAAC is inherently "host can
> > take whatever address it want as long as it's not already in use".
>
> I'm mostly interested in IPv6 over Ethernet. It seems to me that with
> SLAAC, any host in the same broadcast domain can tell the Ethernet
> layer to redirect any IPv6 traffic to it. I would call this
> "insecure".
>
> > Inherently SLAAC is "flexible" and "easy", which usually implies "not
> > secure" :P
>
> Is there any other technology which prevents Ethernet-based attacks on
> IPv6?
>
> To my knowledge, the only thing that can be implemented in a
> cross-vendor fashion is to put each host into its own broadcast
> domain, but tool support for that appears to be poor.
>From a broadband access perspective, that would become each cust [link]
in its own broadcast domain. Which is a desirable design goal IMO.
Anything else, including various forms of filters, are essentially
various forms of hacks (band-aids applied after the problem is created
to mitigate the problem), until there is universal support for SeND,
etc.
If you must have several hosts on the same broadcast domain and want
end-to-end security, and want to avoid attacks from layers below, I
suggest using application layer end-to-end security: SSH, TLS, et al.
Or, for accessing a controlled set of resources, a VPN.
For broadband, if non-shared broadcast domain between customers is
totally out of the question, but you still have money to buy new
equipment, SAVI as Mikael pointed out may be a solution.
Best Regards,
Martin
More information about the ipv6-ops
mailing list