Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers
draft-ietf-opsec-dhcpv6-shield-08

Approval announcement
Draft of message to be sent after approval:

Announcement

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: RFC Editor <rfc-editor@rfc-editor.org>,
    opsec mailing list <opsec@ietf.org>,
    opsec chair <opsec-chairs@tools.ietf.org>
Subject: Protocol Action: 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers' to Best Current Practice (draft-ietf-opsec-dhcpv6-shield-08.txt)

The IESG has approved the following document:
- 'DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers'
  (draft-ietf-opsec-dhcpv6-shield-08.txt) as Best Current Practice

This document is the product of the Operational Security Capabilities for
IP Network Infrastructure Working Group.

The IESG contact persons are Benoit Claise and Joel Jaeggli.

A URL of this Internet Draft is:
https://datatracker.ietf.org/doc/draft-ietf-opsec-dhcpv6-shield/

Ballot Text

Technical Summary

This document describes a mechanism for protecting hosts connected to 
a switched network against rogue DHCPv6 servers.  This mechanism is 
based on DHCPv6 packet-filtering at the layer-2 device at which the 
packets are received.  A similar mechanism has been widely deployed 
in IPv4 networks ('DHCP snooping'), and hence it is desirable that 
similar functionality be provided for IPv6 networks.

Working Group Summary

This document received a fair bit of in-depth review from key members 
of the WG. The WGLC concluded that this is useful information that is 
presented in an easy to read format. 

Document Quality

This document provides advice to IPv6 implementors for protecting 
hosts connected to a switched network against rogue DHCPv6 servers. 
There is a valid implementation of this functionality on Cisco 
equipment. Everyone who reviewed and commented on this document agrees 
that this is a significant security issue and that the mechanism that 
this draft provides is easy to use given its similarity to a similar 
feature (DHCP snooping) that has existed for IPv4 networks for a 
while.


Personnel

Kiran Kumar Chittimaneni is the Document Shepherd.

Joel Jaeggli is the Area Director.

DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers draft-ietf-opsec-dhcpv6-shield-08

Approval announcement Draft of message to be sent after approval:

Announcement

Ballot Text

RFC Editor Note

DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers
draft-ietf-opsec-dhcpv6-shield-08

Approval announcement
Draft of message to be sent after approval: