nanog mailing list archives
Re: IPv6 delivery model to end customers
From: Nathan Ward <nanog () daork net>
Date: Sat, 7 Feb 2009 21:28:31 +1300
On 7/02/2009, at 8:45 PM, Mikael Abrahamsson wrote:
So, what is the security problem with IPv6 in an IPv4 network? Well, imagine an IPv4 network where security is done via ARP inspection, DHCP snooping and L3 ACLs. Now, insert rogue customer who announces itself via RA/DHCPv6 and says it's also DNS. Vista machines will get itself an IPv6 address via RA, ask for DNS-server via DHCPv6, so if the rogue customer can do some NAT-PT like functionality, they are now man in the middle for all the IPv4 traffic (because between the customers it's IPv6 and the L2 device doesn't know anything about that). I don't know if this has actually been done, but I see no theoretical problem with it, if someone can come up with something, please do tell.
It is worth noting that this problem does not require you to start sending RA messages - this is a problem as soon as one customer is listening to RA messages. The problem may very well exist right now.
-- Nathan Ward
Current thread:
- IPv6 delivery model to end customers Mikael Abrahamsson (Feb 06)
- Re: IPv6 delivery model to end customers Nathan Ward (Feb 07)
- Re: IPv6 delivery model to end customers Jack Bates (Feb 07)
- RE: IPv6 delivery model to end customers John Lee (Feb 07)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 07)
- RE: IPv6 delivery model to end customers John Lee (Feb 07)
- RE: IPv6 delivery model to end customers Pekka Savola (Feb 09)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 09)
- RE: IPv6 delivery model to end customers Soucy, Ray (Feb 09)
- Re: IPv6 delivery model to end customers Mark Tinka (Feb 09)
- RE: IPv6 delivery model to end customers TJ (Feb 09)
- RE: IPv6 delivery model to end customers TJ (Feb 09)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 07)