| Currently, many vendors are not prepared for DHCPv6 stateful autoconfiguration, thus there are very few implementations of it. DHCPv6 is a completely separate protocol than DHCPv4. In IPV6 DHCPDISCOVER use of the unspecified address 0.0.0.0 with a broadcast address. These messages are sent with a FF02::1:2 (RFC3315) via IPv6 support of link-local autoconfiguration. There is also DHCPv6-Prefix Delegation that allows nodes to request not just an address, but also the entire prefix. DHCPv6-PD is primarily used by routers. Stateful autoconfiguration offers the best auditing capabilities due to the logs being centralized at the DHCP server and may become the preferred implementation as the protocol matures.
When DHCP is not being used in an IPv6 network, DHCP packets should be filtered at security boundaries and internally at router interfaces where possible. The internal filtering will not completely prevent use since any on-link attacks never pass through a router, hence the IDS recommendations follow.
Create an IDS check to detect any inconsistencies in the advertised “M or O bit values” of router advertisements on a link.
If DHCP is not being used in the network, create an IDS check to detect traffic on the commonly used DHCP ports. The following port numbers for both TCP and UDP are associated with DHCP: 67, 68, 546, 547, 647, 847, and 2490.
|
