Re: Mac OS X 10.7, still no DHCPv6

[Steven Bellovin <smb () cs columbia edu>]

On Feb 27, 2011, at 10:25 25AM, Dobbins, Roland wrote:

> On Feb 27, 2011, at 10:22 PM, Mikael Abrahamsson wrote:
>
> > Which is one of the reasons why some of us want DHCPv6 support in hosts.
>
> Also for traceback when hunting down compromised/abusive hosts.
You really need to look at switch logs for that, even with IPv4:
http://www.cs.columbia.edu/~smb/talks/arp-attack.pdf
Also don't forget privacy-enhanced addresses.

We all know that bad guys make up addresses whenever it suits their
needs.  (I'm part of an ongoing discussion about a currently-active
series of incidents, all relying on spoofed source addresses.)
DHCP logs or configurations are not going to help against the
folks we really care about.  For the ankle-biters -- well, SLAAC
is better in many ways, since the IP address itself tells you
the MAC address, which makes applying filters so much easier...

I'm not saying there are no uses for DHCPv6, though I suspect
that some of the reasons proposed are more people wanting to do
things the way they always do, rather than making small changes
and ending up with equivalent effort.  I am saying that security
is not a strong argument.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb