nanog mailing list archives

Re: The stupidity of trying to "fix" DHCPv6


From: Joel Jaeggli <joelja () bogus com>
Date: Fri, 10 Jun 2011 14:42:23 -0700

On Jun 10, 2011, at 11:18 AM, Valdis.Kletnieks () vt edu wrote:

On Fri, 10 Jun 2011 12:54:17 CDT, Jima said:
 If we go down this path, how long before we hear screaming about rogue 
DHCPv6 servers giving v4-only networks a false v6 path?

Already happened.  Good way to install an MITM against any v6-enabled boxes
on a v4-only network, been multiple reported uses of that technique.

What's more v4 seem rather less likely to have any countermeasures or methods for detecting this... Back when I worked 
for a security vendor our endpoint security product specifically disabled ipv6 to address this exposure.



Current thread: