On Jul 25, 2014, at 9:05 PM, Dan Wing <[email protected]> wrote: > Specifically, the network has to allow an arbitrary host to send an IPv6 RA. > Doesn't that open the network to a pile of attacks, including an > attacker-controlled IPv6 DNS server (RFC6106) and attacker-controlled IPv6 > default route?
It does, but if the network provides DHCP service and the attacker either fails to answer faster, or is prevented from acting as a DHCP server, then happy eyeballs will take care of the broken IPv6 service. If your portable device is using any protocols that are susceptible to MiTM attacks, you shouldn't be connecting it to networks anyway, so we don't have to care about snooping, right? :) So compare that to no-IPv4, where if this is propagated using RA or DHCPv6, it's possible to actually shut off the IPv4 connection and prevent the user from connecting over the IPv4 internet. _______________________________________________ sunset4 mailing list [email protected] https://www.ietf.org/mailman/listinfo/sunset4
