[AusNOG] Apple say "biasing towards IPv6 is now beneficial for our customers"

Tue Jul 14 19:36:02 EST 2015

On 14 Jul 2015 6:45 pm, "Peter Fern" <ausnog at 0xc0dedbad.com> wrote:
>
> On 07/14/2015 18:22, Mark Smith wrote:
> > So I think Lorenzo's objection is specifically about stateful address
> > assignment via DHCPv6 because it doesn't actually solve the problem
> > people think it does - to have a database of attached devices for
> > security purposes. DHCPv6 or DHCPv4 won't have a record of attackers
> > devices that are configured with static addresses. In the case of
> > IPv6, DHCPv6 won't have a record of hosts' link-local addresses
> > either. An attacker will have control of their machine, so they'll
> > very easily ignore the M flag in RAs (indicating to use DHCPv6 for
> > addresses), or more simply, sniff but not process RAs, so they know
> > the network's subnets and can configure a static address and static
> > default gateway if necessary.
>
> Sure, I get this - if that's the only reason people think they want to
> deploy IPv6, then they're doing it wrong(tm).  But this is not the only
> reason to choose DHCPv6 as your addressing mechanism - stuff like
> options support so that you can push TFTP etc, central address
> management, GSS-TSIG, whatever.

Actually, I strongly agree with using DHCPv6 for these purposes, meaning
stateless DHCPv6 (i.e. don't use it for addresses), to the point where I
wrote an IETF Internet Draft on it relating to CPE:

IPv6 CE Device DHCPv6 Option Transparency
https://tools.ietf.org/html/draft-smith-v6ops-ce-dhcpv6-transparency-00

  The point is that people are free to
> choose the mechanism that they've decided is right for their network,
> whatever their reasoning.
>
> > If you truly want a database of attached devices, you need to be
> > recording IPv6 neighbor cache contents, IPv4 ARP cache contents or
> > later two FDB contents. Then, in the case of IPv6, the address
> > configuration method (static, SLAAC, DHCPv6) doesn't matter.
> >
> > And if your truly want to control and record both the identities of
> > the devices and the *people* behind then (which includes potential
> > attackers), you authenticate them at layer 2, using e.g. 802.1X.
> >
>
> Absolutely.
>
> > BTW, I think Lorenzo is being rational. Being "religious" is objecting
> > to something different just because it is different.
> >
>
> Except that Lorenzo really can't dictate how operators are going to
> configure their networks, so declaring that if operators implement
> addressing in a manner that conflicts with Lorenzo's opinion on how it
> should be done - irrespective of the RFCs - users of the Android
> operating system will be refused IPv6 connectivity, really does not
> strike me as a rational stance, and would seem to satisfy your
> definition of "religious" ;-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150714/94d0dd9a/attachment.html>