nanog mailing list archives
Re: DHCPv6 authentication
From: Jared Mauch <jared () puck Nether net>
Date: Thu, 21 Aug 2014 07:47:51 -0400
I similarly was counting on 802.1x + RA-Guard and other techniques. I can easier do an insider attack by gaining console or connecting to a trusted wire as most places I've seen don't do 802.1x on wired but do on wireless. I'm not going to enumerate the universe for the sake of 6man/dhc or v6ops, and this seems like a futile effort. - Jared (who sometimes runs a network) On Thu, Aug 21, 2014 at 03:46:18AM +0000, Templin, Fred L wrote:
Hi Jared, I am assuming 802.1x (or equivalent) security at L2, but the "link" between my DHCPv6 client and server is actually a tunnel that may travel over many network layer hops. So, it is possible for legitimate client A to have its leases canceled by rogue client B unless DHCPv6 auth or something similar is used. Yes, rogue client B would also have to be authenticated to connect to the network the same as legitimate client A, but it could be an "insider attack" (e.g., where B is a disgruntled employee trying to get back at a corporate adversary A). Thanks - Fred fred.l.templin () boeing com-----Original Message----- From: Jared Mauch [mailto:jared () puck nether net] Sent: Wednesday, August 20, 2014 5:14 PM To: Templin, Fred L Cc: nanog list Subject: Re: DHCPv6 authentication If you are already connected to the network you are going to be deemed as authenticated. I'm unaware of anyone doing dhcp authentication. Jared MauchOn Aug 20, 2014, at 6:45 PM, "Templin, Fred L" <Fred.L.Templin () boeing com> wrote: Hi - does anyone know if DHCPv6 authentication is commonly used in operational networks? If so, what has been the experience in terms of DHCPv6 servers being able to discern legitimate clients from rogue clients? Thanks - Fred fred.l.templin () boeing com
-- Jared Mauch | pgp key available via finger from jared () puck nether net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- Re: Best US Tunnelbroker for Youtube, (continued)
- Re: Best US Tunnelbroker for Youtube Ryan Shea (Aug 20)
- Re: Best US Tunnelbroker for Youtube Daniel Roesen (Aug 20)
- Re: Best US Tunnelbroker for Youtube Ryan Shea (Aug 20)
- Re: Best US Tunnelbroker for Youtube Christopher Morrow (Aug 20)
- Re: Best US Tunnelbroker for Youtube Christopher Morrow (Aug 20)
- DHCPv6 authentication Templin, Fred L (Aug 20)
- Re: DHCPv6 authentication Jared Mauch (Aug 20)
- Re: DHCPv6 authentication Randy Carpenter (Aug 20)
- RE: DHCPv6 authentication Templin, Fred L (Aug 20)
- Re: DHCPv6 authentication Alex Howells (Aug 20)
- Re: DHCPv6 authentication Jared Mauch (Aug 21)
- RE: DHCPv6 authentication Templin, Fred L (Aug 21)
- Re: DHCPv6 authentication Hugo Slabbert (Aug 22)
- Re: Best US Tunnelbroker for Youtube Ryan Shea (Aug 20)
- Re: Best US Tunnelbroker for Youtube Owen DeLong (Aug 26)
- Re: Best US Tunnelbroker for Youtube ITechGeek (Aug 26)
- Re: Best US Tunnelbroker for Youtube Valdis . Kletnieks (Aug 26)
- Re: Best US Tunnelbroker for Youtube ITechGeek (Aug 26)
- Re: Best US Tunnelbroker for Youtube Mark Andrews (Aug 26)