[AusNOG] Apple say "biasing towards IPv6 is now beneficial for our customers"
Peter Fern
ausnog at 0xc0dedbad.com
Tue Jul 14 18:45:10 EST 2015
On 07/14/2015 18:22, Mark Smith wrote:
> So I think Lorenzo's objection is specifically about stateful address
> assignment via DHCPv6 because it doesn't actually solve the problem
> people think it does - to have a database of attached devices for
> security purposes. DHCPv6 or DHCPv4 won't have a record of attackers
> devices that are configured with static addresses. In the case of
> IPv6, DHCPv6 won't have a record of hosts' link-local addresses
> either. An attacker will have control of their machine, so they'll
> very easily ignore the M flag in RAs (indicating to use DHCPv6 for
> addresses), or more simply, sniff but not process RAs, so they know
> the network's subnets and can configure a static address and static
> default gateway if necessary.
Sure, I get this - if that's the only reason people think they want to
deploy IPv6, then they're doing it wrong(tm). But this is not the only
reason to choose DHCPv6 as your addressing mechanism - stuff like
options support so that you can push TFTP etc, central address
management, GSS-TSIG, whatever. The point is that people are free to
choose the mechanism that they've decided is right for their network,
whatever their reasoning.
> If you truly want a database of attached devices, you need to be
> recording IPv6 neighbor cache contents, IPv4 ARP cache contents or
> later two FDB contents. Then, in the case of IPv6, the address
> configuration method (static, SLAAC, DHCPv6) doesn't matter.
>
> And if your truly want to control and record both the identities of
> the devices and the *people* behind then (which includes potential
> attackers), you authenticate them at layer 2, using e.g. 802.1X.
>
Absolutely.
> BTW, I think Lorenzo is being rational. Being "religious" is objecting
> to something different just because it is different.
>
Except that Lorenzo really can't dictate how operators are going to
configure their networks, so declaring that if operators implement
addressing in a manner that conflicts with Lorenzo's opinion on how it
should be done - irrespective of the RFCs - users of the Android
operating system will be refused IPv6 connectivity, really does not
strike me as a rational stance, and would seem to satisfy your
definition of "religious" ;-)
More information about the AusNOG
mailing list