DHCPv6 default gateway option?

Tim Gavin livewire98801 at gmail.com
Wed Dec 8 08:44:47 UTC 2010 

>
> An infected machine could send DHCP messages to change the default router as well.


Okay, so bad example, but the point stands.  Since the DHCP server is
responsible for both the IP and the gateway on v4, if the compromised
machine tries to send a bad address, the real DHCP server would be
sending a NAK.

I've seen this behavior before on my network, tho I might not be
explaining it very well.  We had a bunch of machines getting invalid
IPs with mismatched gateways.  Turns out we had an infected windows
machine sending out goofy DHCP replies to DISCOVERS.

Then again, that's why I don't like running DHCP on an ISP network.
But it's certainly better than the Windows DHCP servers (one for every
independent network) that we were running when I started.

What my concern is with the way v6 does it, the RA and the DHCP
transaction are separate.  It's trivial for the system to get a valid
IPv6 address, and the RA come from a different machine since that's
what the computer is expecting.


> I think the router is the most natural place to decide about routers.

Wouldn't the DHCP server be the most natural place for that?  The
system that assigns the IP should also assign the rest of the
connection information?  Just like it does now in v4, the DHCP server
should assign the IP, GW, Mask, DNS, and whatever else the admin needs
to assign?


> Of course, systems should be protected against faked or intruded router advertisements
> and faked or intruded DHCP servers.

On a campus network, that's easy.  On an ISP network, not so much,
especially a flat fiber optic network like I'm on.  We don't own the
network, we just buy access to a VLAN that we have no direct control
over.


> Such a protection will not occur by adding such an option to the DHCP protocol.
> It needs a proper filtering of network trafic, to allow RA only from known routers,
> and to allow DHCP trafic only from/to DHCP servers.
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

More information about the dhcp-users mailing list