User: Password:
|
|
Subscribe / Log in / New account

IPv6 NAT

IPv6 NAT

Posted Jul 22, 2011 14:13 UTC (Fri) by foom (subscriber, #14868)
In reply to: IPv6 NAT by Cyberax
Parent article: IPv6 NAT

Well, the way machines get names on both my home IPv4 home network and my work IPv4 network is that the DHCP server creates an entry in DNS for the hostname that the endpoint reports in its DHCP request.

When the lease expires, the name is removed from DNS. The device doesn't need to self-register with DNS, since the DHCP server handles it. And the DHCP server doesn't need to have MAC address mapping for the endpoints, since it just gets the names from the DHCP request.

Works great....and would work for IPv6 too, if I had set that up.


(Log in to post comments)

IPv6 NAT

Posted Jul 22, 2011 20:10 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Yeah.

Want to bet that it'd take less than a week in organization of medium size for a host with duplicate name to appear?

Also, that's a nice attack vector for hackers. Just infect your CEOs iPad and make it impersonate a VerySecureFinancialServer.yourorganization.com - DHCP is not authenticated so all hacker would need to do is change iPad's hostname.

IPv6 NAT

Posted Jul 24, 2011 18:00 UTC (Sun) by foom (subscriber, #14868) [Link]

> Want to bet that it'd take less than a week in organization of medium size for a host with duplicate name to appear?

Well, we use the automatic unauthenticated assignment for desktops so it mostly doesn't matter (and btw, there's ~400 of them). If a duplicate name is requested, it's simply ignored if the first DHCP lease is still active. Of course if the first user's lease expires (or is relinquished), you could steal their hostname, indeed. Shrug.

> Also, that's a nice attack vector for hackers. Just infect your CEOs iPad and make it impersonate a VerySecureFinancialServer.yourorganization.com - DHCP is not authenticated so all hacker would need to do is change iPad's hostname.

Well, yes, guess what. Neither MAC addresses nor IP addresses are authenticated either. If you want to secure such things, you'll need to have a separate trusted network segment (or use 802.1x), and then you can lock down "secure" hostnames to that network segment.

You can also use Windows Active Directory, with which it is trivial to do dynamic hostname assignment authenticated to the host's kerberos key.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds