[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6 delivery model to end customers

Subject: IPv6 delivery model to end customers
From: nanog at daork.net (Nathan Ward)
Date: Sat, 7 Feb 2009 21:28:31 +1300
In-reply-to: <[email protected]>
References: <[email protected]>

On 7/02/2009, at 8:45 PM, Mikael Abrahamsson wrote:

> So, what is the security problem with IPv6 in an IPv4 network? Well,  
> imagine an IPv4 network where security is done via ARP inspection,  
> DHCP snooping and L3 ACLs. Now, insert rogue customer who announces  
> itself via RA/DHCPv6 and says it's also DNS. Vista machines will get  
> itself an IPv6 address via RA, ask for DNS-server via DHCPv6, so if  
> the rogue customer can do some NAT-PT like functionality, they are  
> now man in the middle for all the IPv4 traffic (because between the  
> customers it's IPv6 and the L2 device doesn't know anything about  
> that). I don't know if this has actually been done, but I see no  
> theoretical problem with it, if someone can come up with something,  
> please do tell.


It is worth noting that this problem does not require you to start  
sending RA messages - this is a problem as soon as one customer is  
listening to RA messages. The problem may very well exist right now.

--
Nathan Ward

References:
- IPv6 delivery model to end customers
  - From: swmike at swm.pp.se (Mikael Abrahamsson)

Prev by Date: IPv6 delivery model to end customers
Next by Date: One /22 Two ISP no BGP
Previous by thread: IPv6 delivery model to end customers
Next by thread: IPv6 delivery model to end customers
Index(es):
- Date
- Thread