DHCPv6 security concerns

The enhancements in IPv6 provide better security in certain areas, but some of these areas are still open to exploitation by attackers. This section identifies the IPv6 FHS concerns associated with Dynamic Host Configuration Protocol version 6 (DHCPv6).

DHCPv6 (RFC 3315) describes how a host can acquire an IPv6 address and other configuration options from a server that is available on its local link. DHCPv6 is described as a stateful protocol. In other words, DHCPv6 can operate in a stateless fashion where it provides configuration information to nodes and does not perform address assignments (RFC 3736). In addition, it can operate in a stateful manner, where it assigns IPv6 addresses and configuration information to hosts that request it.

As in IPv4 DHCP, DHCPv6 is susceptible to rogue server attacks. In other words, if DHCPv6 is used to provide IPv6 addresses to the hosts, an attacker that managed to insert a rogue DHCPv6 server in the link can potentially assign addresses and configuration options to the link hosts. In turn, the attacker can deploy man-in-the-middle, traffic interception, or blackhole traffic, similar to those in the stateless address autoconfiguration scenario. Therefore, it is important to use DHCP protections for both IPv4 and IPv6.