Re: DHCPv6 authentication
Hi, the question is simply whether anyone is using, or knows of any use of) DHCPv6 Authentication. Given the responses thus far, my guess would be "no". On Thu, 21 Aug 2014 12:14:57 +, "Templin, Fred L" wrote: Hi, the question is simply whether anyone is using, or knows of any use of) DHCPv6 Authentication. Does it work? What is the operational experience? Thanks - Fred fred.l.temp...@boeing.com -- Hugo binQMgCjnX0hK.bin Description: PGP Public Key pgpJBeLiLZ1Bm.pgp Description: PGP Digital Signature
RE: DHCPv6 authentication
Hi, the question is simply whether anyone is using, or knows of any use of) DHCPv6 Authentication. Does it work? What is the operational experience? Thanks - Fred fred.l.temp...@boeing.com
Re: DHCPv6 authentication
I similarly was counting on 802.1x + RA-Guard and other techniques. I can easier do an insider attack by gaining console or connecting to a trusted wire as most places I've seen don't do 802.1x on wired but do on wireless. I'm not going to enumerate the universe for the sake of 6man/dhc or v6ops, and this seems like a futile effort. - Jared (who sometimes runs a network) On Thu, Aug 21, 2014 at 03:46:18AM +, Templin, Fred L wrote: > Hi Jared, > > I am assuming 802.1x (or equivalent) security at L2, but the "link" between > my DHCPv6 client and server is actually a tunnel that may travel over many > network layer hops. So, it is possible for legitimate client A to have its > leases canceled by rogue client B unless DHCPv6 auth or something similar > is used. Yes, rogue client B would also have to be authenticated to connect > to the network the same as legitimate client A, but it could be an "insider > attack" (e.g., where B is a disgruntled employee trying to get back at a > corporate adversary A). > > Thanks - Fred > fred.l.temp...@boeing.com > > > > -Original Message- > > From: Jared Mauch [mailto:ja...@puck.nether.net] > > Sent: Wednesday, August 20, 2014 5:14 PM > > To: Templin, Fred L > > Cc: nanog list > > Subject: Re: DHCPv6 authentication > > > > If you are already connected to the network you are going to be deemed as > > authenticated. I'm unaware > > of anyone doing dhcp authentication. > > > > Jared Mauch > > > > > On Aug 20, 2014, at 6:45 PM, "Templin, Fred L" > > > wrote: > > > > > > Hi - does anyone know if DHCPv6 authentication is commonly used in > > > operational networks? If so, what has been the experience in terms > > > of DHCPv6 servers being able to discern legitimate clients from > > > rogue clients? > > > > > > Thanks - Fred > > > fred.l.temp...@boeing.com -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: DHCPv6 authentication
This seems like an attempt to boil the ocean.
RE: DHCPv6 authentication
Hi Jared, I am assuming 802.1x (or equivalent) security at L2, but the "link" between my DHCPv6 client and server is actually a tunnel that may travel over many network layer hops. So, it is possible for legitimate client A to have its leases canceled by rogue client B unless DHCPv6 auth or something similar is used. Yes, rogue client B would also have to be authenticated to connect to the network the same as legitimate client A, but it could be an "insider attack" (e.g., where B is a disgruntled employee trying to get back at a corporate adversary A). Thanks - Fred fred.l.temp...@boeing.com > -Original Message- > From: Jared Mauch [mailto:ja...@puck.nether.net] > Sent: Wednesday, August 20, 2014 5:14 PM > To: Templin, Fred L > Cc: nanog list > Subject: Re: DHCPv6 authentication > > If you are already connected to the network you are going to be deemed as > authenticated. I'm unaware > of anyone doing dhcp authentication. > > Jared Mauch > > > On Aug 20, 2014, at 6:45 PM, "Templin, Fred L" > > wrote: > > > > Hi - does anyone know if DHCPv6 authentication is commonly used in > > operational networks? If so, what has been the experience in terms > > of DHCPv6 servers being able to discern legitimate clients from > > rogue clients? > > > > Thanks - Fred > > fred.l.temp...@boeing.com
Re: DHCPv6 authentication
My clients typically do DHCP authentication in order to have the ability to tell which user has which IP at what time. The challenge with doing this with IPv6 is that the original DHCPv6 spec has no provision for there to be any unique identifier that can be tied to a particular user like DHCPv4 does. RFC 6939 defines a way to fix that, but I have yet to see it implemented by anything. thanks, -Randy - Original Message - > If you are already connected to the network you are going to be deemed as > authenticated. I'm unaware of anyone doing dhcp authentication. > > Jared Mauch > > > On Aug 20, 2014, at 6:45 PM, "Templin, Fred L" > > wrote: > > > > Hi - does anyone know if DHCPv6 authentication is commonly used in > > operational networks? If so, what has been the experience in terms > > of DHCPv6 servers being able to discern legitimate clients from > > rogue clients? > > > > Thanks - Fred > > fred.l.temp...@boeing.com > >
Re: DHCPv6 authentication
If you are already connected to the network you are going to be deemed as authenticated. I'm unaware of anyone doing dhcp authentication. Jared Mauch > On Aug 20, 2014, at 6:45 PM, "Templin, Fred L" > wrote: > > Hi - does anyone know if DHCPv6 authentication is commonly used in > operational networks? If so, what has been the experience in terms > of DHCPv6 servers being able to discern legitimate clients from > rogue clients? > > Thanks - Fred > fred.l.temp...@boeing.com
DHCPv6 authentication
Hi - does anyone know if DHCPv6 authentication is commonly used in operational networks? If so, what has been the experience in terms of DHCPv6 servers being able to discern legitimate clients from rogue clients? Thanks - Fred fred.l.temp...@boeing.com