Based on what I said at the mike, here is some suggested text to add to the security considerations section:
Some network devices such as switches might have mechanisms to block ports from being having a DHCPv6 server, which provides some protection against DHCP server spoofing. That means that an attacker on other ports can't insert bogus DNS servers using DHCPv6. The corresponding technique for RDNSS is to configure those devices to block Router Advertisement messages.
Erik -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
