A false sense of security is worse than no security at all; at least with no security you know you don't have any.
Support for DHCPv6 (RFC 3315)
There are business requirements, and compliance requirements, where you need to track what host had what IP at what time.
It’s 2020 And Android’s IPv6 Is Still Broken
The Big Myth
Terribly Inadequate
Android is Not Broken
RFC 8504 (BCP 220) - IPv6 Node Requirements says the following about stateful DHCPv6 support (6.5):
DHCPv6 [RFC3315] can be used to obtain and configure addresses. In general, a network may provide for the configuration of addresses through SLAAC, DHCPv6, or both. There will be a wide range of IPv6 deployment models and differences in address assignment requirements, some of which may require DHCPv6 for stateful address assignment. Consequently, all hosts SHOULD implement address configuration via DHCPv6.
Stateful DHCPv6 is not a MUST implement. The Android IPv6 implementation complies with RFC 8504 / BCP 220.
Even if Android did implement stateful DHCPv6, it still wouldn't solve the problem that DHCPv6 doesn't record all IPv6 addresses in use.
IPv6 Addresses in Use
So if a network operator wants to have an accurate database of IPv6 addresses in use on a link and across the network, then they'll need a method that records:
- IPv6 addresses provided by Stateful DHCPv6
- IPv6 addresses generated by hosts using SLAAC.
- IPv6 addresses that have been manually configured
- IPv6 link-local autoconfigured addresses
I don't know of any specific methods or solutions that records IPv6 addresses that have been configured or generated using all of these addressing mechanisms. RFC 7039 - Source Address Validation Improvement (SAVI) Framework comes to mind, if an implementation also reports all of the source addresses it discovers.
The point of this article isn't to explore solutions - the reader can look into those.
The point is to call out the myth that Stateful DHCPv6 (and DHCPv4) record all IPv6 (or IPv4) addresses in use on a network, and that believing so is being lulled into a false sense of security, which is worse than no security at all.