[174082] in North American Network Operators' Group
RE: DHCPv6 authentication
daemon@ATHENA.MIT.EDU (Templin, Fred L)
Wed Aug 20 23:46:30 2014
X-Original-To: nanog@nanog.org
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Jared Mauch <jared@puck.nether.net>
Date: Thu, 21 Aug 2014 03:46:18 +0000
In-Reply-To: <2F4EA67A-A730-40E6-99DA-6A1FA5C3AFD8@puck.nether.net>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Hi Jared,
I am assuming 802.1x (or equivalent) security at L2, but the "link" between
my DHCPv6 client and server is actually a tunnel that may travel over many
network layer hops. So, it is possible for legitimate client A to have its
leases canceled by rogue client B unless DHCPv6 auth or something similar
is used. Yes, rogue client B would also have to be authenticated to connect
to the network the same as legitimate client A, but it could be an "insider
attack" (e.g., where B is a disgruntled employee trying to get back at a
corporate adversary A).
Thanks - Fred
fred.l.templin@boeing.com
> -----Original Message-----
> From: Jared Mauch [mailto:jared@puck.nether.net]
> Sent: Wednesday, August 20, 2014 5:14 PM
> To: Templin, Fred L
> Cc: nanog list
> Subject: Re: DHCPv6 authentication
>=20
> If you are already connected to the network you are going to be deemed as=
authenticated. I'm unaware
> of anyone doing dhcp authentication.
>=20
> Jared Mauch
>=20
> > On Aug 20, 2014, at 6:45 PM, "Templin, Fred L" <Fred.L.Templin@boeing.c=
om> wrote:
> >
> > Hi - does anyone know if DHCPv6 authentication is commonly used in
> > operational networks? If so, what has been the experience in terms
> > of DHCPv6 servers being able to discern legitimate clients from
> > rogue clients?
> >
> > Thanks - Fred
> > fred.l.templin@boeing.com
