We have just published IETF RFC 7610, entitled “DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers”. The abstract of the RFC is:
This document specifies a mechanism for protecting hosts connected to
a switched network against rogue DHCPv6 servers. It is based on
DHCPv6 packet filtering at the layer 2 device at which the packets
are received. A similar mechanism has been widely deployed in IPv4
networks (‘DHCP snooping’); hence, it is desirable that similar
functionality be provided for IPv6 networks. This document specifies
a Best Current Practice for the implementation of DHCPv6-Shield.
We hope that this RFC will help in achieving parity of security features with IPv4.
