On 06/13/2011 07:38 PM, Nick Hilliard wrote: > On 10/06/2011 22:51, Fernando Gont wrote: >> * This results in a RA-Guard implementation that is as simple as >> possible (it only has to look at the header following the fixed IPv6 >> header). > > dhcpv6 suffers from exactly the same problem.
Agreed. This is noted in the I-D, by the way. > Are there plans to introduce dhcpv6-guard? This is something that vendors should answer. As long as there are implementations that may try DHCPv6 even if no RA is received, DHCPv6 should be implemented/deployed along RA-Guard, or else attackers will switch to teh DHCPv6 vector, and RA-Guard will be circumvented this way. Thanks, -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
