[AusNOG] Apple say "biasing towards IPv6 is now beneficial for our customers"
Mark Smith
markzzzsmith at gmail.com
Tue Jul 14 18:22:51 EST 2015
On 14 Jul 2015 6:02 pm, "Peter Fern" <ausnog at 0xc0dedbad.com> wrote:
>
> On 07/14/2015 17:58, Mark Smith wrote:
> >
> > see RFC7278 for a work around to 3GPP versions trapping handsets into
> > not supporting DHCPv6
> >
>
> Regardless of such traps, some Google staffers have simply flat-out
> refused[1] to implement DHCPv6 on Android for religious reasons.
>
So I think Lorenzo's objection is specifically about stateful address
assignment via DHCPv6 because it doesn't actually solve the problem people
think it does - to have a database of attached devices for security
purposes. DHCPv6 or DHCPv4 won't have a record of attackers devices that
are configured with static addresses. In the case of IPv6, DHCPv6 won't
have a record of hosts' link-local addresses either. An attacker will have
control of their machine, so they'll very easily ignore the M flag in RAs
(indicating to use DHCPv6 for addresses), or more simply, sniff but not
process RAs, so they know the network's subnets and can configure a static
address and static default gateway if necessary.
If you truly want a database of attached devices, you need to be recording
IPv6 neighbor cache contents, IPv4 ARP cache contents or later two FDB
contents. Then, in the case of IPv6, the address configuration method
(static, SLAAC, DHCPv6) doesn't matter.
And if your truly want to control and record both the identities of the
devices and the *people* behind then (which includes potential attackers),
you authenticate them at layer 2, using e.g. 802.1X.
BTW, I think Lorenzo is being rational. Being "religious" is objecting to
something different just because it is different.
> [1] https://code.google.com/p/android/issues/detail?id=32621
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150714/15c2bd21/attachment.html>
More information about the AusNOG
mailing list