Posted Jul 24, 2011 18:00 UTC (Sun) by foom (subscriber, #14868)
In reply to: IPv6 NAT by Cyberax
Parent article: IPv6 NAT
> Want to bet that it'd take less than a week in organization of medium size for a host with duplicate name to appear?
Well, we use the automatic unauthenticated assignment for desktops so it mostly doesn't matter (and btw, there's ~400 of them). If a duplicate name is requested, it's simply ignored if the first DHCP lease is still active. Of course if the first user's lease expires (or is relinquished), you could steal their hostname, indeed. Shrug.
> Also, that's a nice attack vector for hackers. Just infect your CEOs iPad and make it impersonate a VerySecureFinancialServer.yourorganization.com - DHCP is not authenticated so all hacker would need to do is change iPad's hostname.
Well, yes, guess what. Neither MAC addresses nor IP addresses are authenticated either. If you want to secure such things, you'll need to have a separate trusted network segment (or use 802.1x), and then you can lock down "secure" hostnames to that network segment.
You can also use Windows Active Directory, with which it is trivial to do dynamic hostname assignment authenticated to the host's kerberos key.