[174084] in North American Network Operators' Group
Re: DHCPv6 authentication
daemon@ATHENA.MIT.EDU (Jared Mauch)
Thu Aug 21 07:50:29 2014
X-Original-To: nanog@nanog.org
Date: Thu, 21 Aug 2014 07:47:51 -0400
From: Jared Mauch <jared@puck.Nether.net>
To: "Templin, Fred L" <Fred.L.Templin@boeing.com>
In-Reply-To: <2134F8430051B64F815C691A62D9831832CF6476@XCH-BLV-504.nw.nos.boeing.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I similarly was counting on 802.1x + RA-Guard and other
techniques.
I can easier do an insider attack by gaining console or connecting
to a trusted wire as most places I've seen don't do 802.1x on wired
but do on wireless.
I'm not going to enumerate the universe for the sake of 6man/dhc
or v6ops, and this seems like a futile effort.
- Jared (who sometimes runs a network)
On Thu, Aug 21, 2014 at 03:46:18AM +0000, Templin, Fred L wrote:
> Hi Jared,
>
> I am assuming 802.1x (or equivalent) security at L2, but the "link" between
> my DHCPv6 client and server is actually a tunnel that may travel over many
> network layer hops. So, it is possible for legitimate client A to have its
> leases canceled by rogue client B unless DHCPv6 auth or something similar
> is used. Yes, rogue client B would also have to be authenticated to connect
> to the network the same as legitimate client A, but it could be an "insider
> attack" (e.g., where B is a disgruntled employee trying to get back at a
> corporate adversary A).
>
> Thanks - Fred
> fred.l.templin@boeing.com
>
>
> > -----Original Message-----
> > From: Jared Mauch [mailto:jared@puck.nether.net]
> > Sent: Wednesday, August 20, 2014 5:14 PM
> > To: Templin, Fred L
> > Cc: nanog list
> > Subject: Re: DHCPv6 authentication
> >
> > If you are already connected to the network you are going to be deemed as authenticated. I'm unaware
> > of anyone doing dhcp authentication.
> >
> > Jared Mauch
> >
> > > On Aug 20, 2014, at 6:45 PM, "Templin, Fred L" <Fred.L.Templin@boeing.com> wrote:
> > >
> > > Hi - does anyone know if DHCPv6 authentication is commonly used in
> > > operational networks? If so, what has been the experience in terms
> > > of DHCPv6 servers being able to discern legitimate clients from
> > > rogue clients?
> > >
> > > Thanks - Fred
> > > fred.l.templin@boeing.com
--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
