[111546] in North American Network Operators' Group
Re: IPv6 delivery model to end customers
daemon@ATHENA.MIT.EDU (Nathan Ward)
Sat Feb 7 03:28:40 2009
From: Nathan Ward <nanog@daork.net>
To: nanog list <nanog@nanog.org>
In-Reply-To: <alpine.DEB.1.10.0902070807330.16135@uplift.swm.pp.se>
Date: Sat, 7 Feb 2009 21:28:31 +1300
Errors-To: nanog-bounces@nanog.org
On 7/02/2009, at 8:45 PM, Mikael Abrahamsson wrote:
> So, what is the security problem with IPv6 in an IPv4 network? Well,
> imagine an IPv4 network where security is done via ARP inspection,
> DHCP snooping and L3 ACLs. Now, insert rogue customer who announces
> itself via RA/DHCPv6 and says it's also DNS. Vista machines will get
> itself an IPv6 address via RA, ask for DNS-server via DHCPv6, so if
> the rogue customer can do some NAT-PT like functionality, they are
> now man in the middle for all the IPv4 traffic (because between the
> customers it's IPv6 and the L2 device doesn't know anything about
> that). I don't know if this has actually been done, but I see no
> theoretical problem with it, if someone can come up with something,
> please do tell.
It is worth noting that this problem does not require you to start
sending RA messages - this is a problem as soon as one customer is
listening to RA messages. The problem may very well exist right now.
--
Nathan Ward
