It is not that DHCPv6 cannot be made secure, it is that the M/O bits are
an automatic and insecure way to trigger an external configuration mechanism.
The are security implication for the hosts in implementing those bits.
They are received in RA, which are mostly insecure (anyone can send a "valid" RA)
The current text says a host should turn stateful autoconf when receiving those bits.
So one could mount an attack fairly easily by introducing a rogue DHCPv6
server on a network that had no DHCPv6 so far and send a fake RA with
the M/O bits on. The host will then configure itself using data coming
from the new rogue DHCPv6 server.
2462 says "host should invoke the stateful address autoconfiguration protocol"
and not "MUST invoke", so there are already provision for not obeying
the M/O bits. But if those bits are not mandatory to execute, why are they here in
the first place? To give a hint that DHCPv6 is present?
Host should not blindly believe this unless the RA are secured.
Also, there are no such bits in IPv4, and host implementations that chose to turn
DHCPv4 on simply try it. Why is is not good for IPv6?
- Alain.
-------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
