DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers

The information below is for an old version of the document
Document Type Expired Internet-Draft (opsec WG)
Authors Fernando Gont  , Will LIU  , Gunter Van de Velde 
Last updated 2013-06-15 (latest revision 2012-12-12)
Replaces draft-gont-opsec-dhcpv6-shield
Stream Internet Engineering Task Force (IETF)
Expired & archived
pdf htmlized bibtex
Additional Resources
- Mailing list discussion
Stream WG state WG Document
Document shepherd None
IESG IESG state Expired
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document specifies a mechanism for protecting hosts connected to a broadcast network against rogue DHCPv6 servers. The aforementioned mechanism is based on DHCPv6 packet-filtering at the layer-2 device on which the packets are received. The aforementioned mechanism has been widely deployed in IPv4 networks ('DHCP snooping'), and hence it is desirable that similar functionality be provided for IPv6 networks.


Fernando Gont (fgont@si6networks.com)
Will LIU (liushucheng@huawei.com)
Gunter Van de Velde (gunter@cisco.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)