[141732] in North American Network Operators' Group
Re: The stupidity of trying to "fix" DHCPv6
daemon@ATHENA.MIT.EDU (Joel Jaeggli)
Fri Jun 10 17:43:21 2011
From: Joel Jaeggli <joelja@bogus.com>
In-Reply-To: <25705.1307729892@turing-police.cc.vt.edu>
Date: Fri, 10 Jun 2011 14:42:23 -0700
To: Valdis.Kletnieks@vt.edu
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 10, 2011, at 11:18 AM, Valdis.Kletnieks@vt.edu wrote:
> On Fri, 10 Jun 2011 12:54:17 CDT, Jima said:
>> If we go down this path, how long before we hear screaming about =
rogue=20
>> DHCPv6 servers giving v4-only networks a false v6 path?
>=20
> Already happened. Good way to install an MITM against any v6-enabled =
boxes
> on a v4-only network, been multiple reported uses of that technique.
What's more v4 seem rather less likely to have any countermeasures or =
methods for detecting this... Back when I worked for a security vendor =
our endpoint security product specifically disabled ipv6 to address this =
exposure.
