A false sense of security is worse than no security at all; at least with no security you know you don't have any.
For many years, people have been complaining that Android is "broken" because it doesn't support stateful DHCPv6, meaning that it has a stateful DHCPv6 client that can acquire IPv6 addresses from a DHCPv6 server.
These complaints have mostly come from people running enterprise networks, who are used to running DHCPv4 to provide IPv4 addresses to hosts.
There are also many articles and blog posts about it, such as the following, easily found through a Google (!) search:
There are business requirements, and compliance requirements, where you need to track what host had what IP at what time.It’s 2020 And Android’s IPv6 Is Still Broken
The Big Myth
It's all a big myth. DHCPv4 and DHCPv6 do not "track what host had what IP at what time." Neither DHCPv4 or DHCPv6 never have, never will and never were designed to.
DHCPv4 normally only keeps a database of hosts running DHCPv4 clients that have requested and been supplied with IPv4 addresses (that is, an IPv4 address lease database). An attacker can easily bypass being recorded in the DHCPv4 database by not running a DHCPv4 client, and manually configuring an IPv4 address instead. Discovering what IPv4 address space exists on a link would be a simple as packet capturing some periodically broadcast ARP requests - and that is if IPv4 addressing isn't conveniently printed on a label on a device like a shared printer in a common area.
Stateful DHCPv6 normally only keeps a database of hosts running DHCPv6 clients that have requested and been supplied with IPv6 addresses (that is, an IPv6 client binding database). An attacker can easily bypass being recorded in the DHCPv6 database by not running a DHCPv6 client, and manually configuring an IPv6 address instead. Discovering what IPv6 address space exists on a link would be as simple as packet capturing some multicast IPv6 Router Advertisements or multicast Neighbor Discovery Neighbor Solicitations - or finding a printer with an IPv6 address label on it.
Additionally, DHCPv6 doesn't record IPv6 addresses that hosts generate using SLAAC (of course), nor does DHCPv6 record hosts' link-local addresses.
If the attacker's goal is to steal link bandwidth, by doing something like transferring files between two hosts on the link surreptitiously, the attacker doesn't even need to manually configure IPv6 addresses either. IPv6 interfaces are required to automatically configure a link-local address, to be used as a source address for things such as sending Neighbor Discovery messages and Router Solicitations.
Terribly Inadequate
DHCPv4 and DHCPv6 are terribly inadequate for the security purposes of recording IPv4 or IPv6 addresses in use on the network.
Believing they are recording all IPv4 or IPv6 addresses in use on the network is false security.
Android is Not Broken
RFC 8504 (BCP 220) - IPv6 Node Requirements says the following about stateful DHCPv6 support (6.5):
DHCPv6 [RFC3315] can be used to obtain and configure addresses. In
general, a network may provide for the configuration of addresses
through SLAAC, DHCPv6, or both. There will be a wide range of IPv6
deployment models and differences in address assignment requirements,
some of which may require DHCPv6 for stateful address assignment.
Consequently, all hosts SHOULD implement address configuration via
DHCPv6.
Stateful DHCPv6 is not a MUST implement. The Android IPv6 implementation complies with RFC 8504 / BCP 220.
Even if Android did implement stateful DHCPv6, it still wouldn't solve the problem that DHCPv6 doesn't record all IPv6 addresses in use.
IPv6 Addresses in Use
So if a network operator wants to have an accurate database of IPv6 addresses in use on a link and across the network, then they'll need a method that records:
- IPv6 addresses provided by Stateful DHCPv6
- IPv6 addresses generated by hosts using SLAAC.
- IPv6 addresses that have been manually configured
- IPv6 link-local autoconfigured addresses
I don't know of any specific methods or solutions that records IPv6 addresses that have been configured or generated using all of these addressing mechanisms. RFC 7039 - Source Address Validation Improvement (SAVI) Framework comes to mind, if an implementation also reports all of the source addresses it discovers.
The point of this article isn't to explore solutions - the reader can look into those.
The point is to call out the myth that Stateful DHCPv6 (and DHCPv4) record all IPv6 (or IPv4) addresses in use on a network, and that believing so is being lulled into a false sense of security, which is worse than no security at all.
In terms of specific solutions to log addresses, most enterprise switches provide a way to do that these days. Enno posted a good list of options a while ago:
ReplyDeletehttps://theinternetprotocolblog.wordpress.com/2020/03/14/does-one-need-dhcpv6/
It is sophistic.
ReplyDeleteIt is very evident that it is much easy to collect logs from 1 DHCP server than from all Routers.
And because every DHCP server is collecting such logs - the only statement of this article is not true...
DHCPv4/v6 servers do record address usage.
DHCPv6 or DHCPv4 servers do record addresses they've given to DHCPv6 or DHCPv4 clients.
DeleteThey do not record IPv4 or IPv6 addresses in use on the network, since hosts can have IPv6 or IPv4 addresses that were not acquired via DHCPv4 or DHCPv6, via methods such as manual configuration, SLAAC or automatic Link-Local IPv6 addresses.
People claim the former is the same as the latter, using that to demand that Android support stateful DHCPv6. That is sophistic.
What a ridiculous argument. The address log is not needed for the mythical hooded hacker. It is needed for regular clients.
ReplyDeleteOne can always find ways a "hacker" could circumvent things. That is not a reason to not implement something.
Did you miss this as the requirement that DHCPv6 and DHCPv4 don't satisfy:
Delete"There are business requirements, and compliance requirements, where you *need to track what host had what IP at what time*."