I similarly was counting on 802.1x + RA-Guard and other techniques. I can easier do an insider attack by gaining console or connecting to a trusted wire as most places I've seen don't do 802.1x on wired but do on wireless. I'm not going to enumerate the universe for the sake of 6man/dhc or v6ops, and this seems like a futile effort. - Jared (who sometimes runs a network) On Thu, Aug 21, 2014 at 03:46:18AM +0000, Templin, Fred L wrote:
Hi Jared,
I am assuming 802.1x (or equivalent) security at L2, but the "link" between my DHCPv6 client and server is actually a tunnel that may travel over many network layer hops. So, it is possible for legitimate client A to have its leases canceled by rogue client B unless DHCPv6 auth or something similar is used. Yes, rogue client B would also have to be authenticated to connect to the network the same as legitimate client A, but it could be an "insider attack" (e.g., where B is a disgruntled employee trying to get back at a corporate adversary A).
Thanks - Fred fred.l.templin@boeing.com
-----Original Message----- From: Jared Mauch [mailto:jared@puck.nether.net] Sent: Wednesday, August 20, 2014 5:14 PM To: Templin, Fred L Cc: nanog list Subject: Re: DHCPv6 authentication
If you are already connected to the network you are going to be deemed as authenticated. I'm unaware of anyone doing dhcp authentication.
Jared Mauch
On Aug 20, 2014, at 6:45 PM, "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote:
Hi - does anyone know if DHCPv6 authentication is commonly used in operational networks? If so, what has been the experience in terms of DHCPv6 servers being able to discern legitimate clients from rogue clients?
Thanks - Fred fred.l.templin@boeing.com
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.