[147856] in North American Network Operators' Group
Re: IPv6 RA vs DHCPv6 - The chosen one?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Dec 23 15:46:40 2011
To: Tomas Podermanski <tpoder@cis.vutbr.cz>
In-Reply-To: Your message of "Fri, 23 Dec 2011 21:06:26 +0100."
<4EF4DF42.2030709@cis.vutbr.cz>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 23 Dec 2011 15:44:30 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1324673070_3579P
Content-Type: text/plain; charset=us-ascii
On Fri, 23 Dec 2011 21:06:26 +0100, Tomas Podermanski said:
> On 12/23/11 4:33 AM, Owen DeLong wrote:
> > If there is actual real world demand for it, it will get implemented.
> > Reality is that today, DHCPv4 has been running just as insecure for many years
> > and nobody cares. I don't know why the bar for IPv6 should be so much higher
> > than IPv4.
> I can not agree with that. Many operators having customers into a shared
> segment and uses security features I mentioned before ( again DHCP
> snooping, ARP protection, source address validation).
Hate to inject some reality here - but Owen is totally correct here. That's all
stuff you do *because DHCPv4 is an insecure protocol*. And a *lot* of places
don't do all that added security on the IPv4 side because it's not part of their
threat model, and probably don't want it on the IPv6 side for the same exact
reasons.
--==_Exmh_1324673070_3579P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFO9OgucC3lWbTT17ARAjrtAKCdbyKY14jVdDo00LptOf0oGw5hbwCg6PTa
7MzGVOjbQ5in8Rygu3FB35w=
=/k64
-----END PGP SIGNATURE-----
--==_Exmh_1324673070_3579P--
