Tuesday, 25 August 2015

IETF RFC 7610: "DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers"

We have just published IETF RFC 7610, entitled "DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers". The abstract of the RFC is:
This document specifies a mechanism for protecting hosts connected to
a switched network against rogue DHCPv6 servers.  It is based on
DHCPv6 packet filtering at the layer 2 device at which the packets
are received.  A similar mechanism has been widely deployed in IPv4
networks ('DHCP snooping'); hence, it is desirable that similar
functionality be provided for IPv6 networks.  This document specifies
a Best Current Practice for the implementation of DHCPv6-Shield.

We hope that this RFC will help in achieving parity of security features with IPv4.