[170351] in North American Network Operators' Group
Re: IPv6 Security [Was: Re: misunderstanding scale]
daemon@ATHENA.MIT.EDU (Mohacsi Janos)
Wed Mar 26 14:29:25 2014
Date: Wed, 26 Mar 2014 19:24:33 +0100 (CET)
From: Mohacsi Janos <mohacsi@niif.hu>
To: "Luke S. Crawford" <lsc@prgmr.com>
In-Reply-To: <53331477.1070701@prgmr.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, 26 Mar 2014, Luke S. Crawford wrote:
> On 03/24/2014 06:18 PM, Owen DeLong wrote:
>> DHCPv6 is no less robust in my experience than DHCPv4.
>>
>> ARP and ND have mostly equivalent issues.
>
> This depends a lot on what you mean by 'robust'
>
> Now, I have dealt with NAT, and I see IPv6 as a technology with the potential
> to make my life less unpleasant. I really want IPv6 to succeed.
>
> However, DHCPv6 isn't anywhere near as useful for me, as someone who normally
> deals with IPs that don't change, as DHCPv4 is.
>
> With DHCPv4, my customers all get an address based on their mac that doesn't
> change if their box is re-installed. I configure this on the DHCP server,
> and the customer can run whatever dhcp client they like on whatever OS they
> like and they get the same IP every time.
>
> With DHCPv6 there is a time-based identifier that is added to the mac that
> makes it impossible, as far as I can tell, to give the customer a consistent
> IP across OS wipes without doing significant client configuration.
This is stupidity of the DHCPv6 client/OS implementation. They should use
DUID type 3 (DUID-LL) by default, not DUID type 1 (DUID-LLT). This can be
circumvented by setting the default to type 3, but...
Regards,
Janos Mohacsi
