IPv6 Security

118 Chapter 3: IPv6 Internet SecurityExample 3-14 shows how the DUID can be statically configured on the delegating routerR1. In this example, the prefix is granted only to the client router R2 with the preconfiguredDUID.Example 3-14 Delegating Router with Static DUIDipv6 dhcp pool CUSTPOOLprefix-delegation 2001:DB8:1234::/48 00030001CA0117DC0000dns-server 2001:DB8:1::1When this change is made on R1 and R2 reconnects to the service provider network, R2receives a unique delegation based on its DUID. Example 3-15 shows the new address thatR2 has been given. Because R2 is using a general prefix, it is passing along the use of thatprefix to its Fast Ethernet 1/1 interface address.Example 3-15 Client Router with Static DUIDR2# show ipv6 dhcp interface FastEthernet 1/0FastEthernet1/0 is in client modeState is OPENRenew will be sent in 00:00:46List of known servers:Reachable via address: FE80::C800:17FF:FEDC:1CDUID: 00030001CA0017DC0000Preference: 0Configuration parameters:IA PD: IA ID 0x00050001, T1 60, T2 120Prefix: 2001:DB8:1234::/48preferred lifetime 604800, valid lifetime 2592000expires at Sep 12 2008 08:38 AM (2591987 seconds)DNS server: 2001:DB8:1::1Information refresh time: 0Prefix name: PREFIXRapid-Commit: disabledR2# show ipv6 interface briefFastEthernet1/0[up/up]FE80::C801:17FF:FEDC:1C2001:DB8::C801:17FF:FEDC:1CFastEthernet1/1[up/up]FE80::C801:17FF:FEDC:1D2001:DB8:1234:1::1R2#Even with statically defined DUIDs, there can still be risks to DHCP-PD that could makethis type of addressing problematic. An attacker could spoof a DUID or somehow try toimpersonate another customer connection. This could either cause a misdirection of trafficor cause a DoS situation for the legitimate user. The same threats against traditional DHCPare the same as the threats against DHCPv6-PD.