Technical Summary
This document describes a mechanism for protecting hosts connected to
a switched network against rogue DHCPv6 servers. This mechanism is
based on DHCPv6 packet-filtering at the layer-2 device at which the
packets are received. A similar mechanism has been widely deployed
in IPv4 networks ('DHCP snooping'), and hence it is desirable that
similar functionality be provided for IPv6 networks.
Working Group Summary
This document received a fair bit of in-depth review from key members
of the WG. The WGLC concluded that this is useful information that is
presented in an easy to read format.
Document Quality
This document provides advice to IPv6 implementors for protecting
hosts connected to a switched network against rogue DHCPv6 servers.
There is a valid implementation of this functionality on Cisco
equipment. Everyone who reviewed and commented on this document agrees
that this is a significant security issue and that the mechanism that
this draft provides is easy to use given its similarity to a similar
feature (DHCP snooping) that has existed for IPv4 networks for a
while.
Personnel
Kiran Kumar Chittimaneni is the Document Shepherd.
Joel Jaeggli is the Area Director.