Unsolved IPv6 Anycast

---

How is the IPv6 Anycast address secured?

If I can have 2 machines with same address and a client will access the nearest machine than If I were a malicious user, could I assign my machines IPv6 Anycast address to a google server IPv6 address, and have people access my machine as if it were a google server? I'm sure it wouldn't be as simple as this but I'm trying to understand how this is avoided.

@brandon-lam,
There are number of issues that can be discussed when thinking about this.

• Stateless Autoconfiguration: without any authentication you have no level of security. Put differently, you have the same level of security as if you're doing ARP for IPv4--zilch.
• Neighbor Solicitation: Neighbor A queries for the L2 address of a Neighbor B; Neighbor B can reply with L2 address. Now L2 address are exchanged, they can communicate on the link between them.
• Duplicate Address Detection: Neighbor A solicits to verify that an IP address is configured.

This is protected through Secure Neighbor Discovery (SEND) RFC 3971.

• SEND require RSA Signature and one of the following:
  • CGA (Cryptographically Generated Addresses) options in all solicitations
  • responding nodes to NS to proof of authorization
  • responding nodes in NA to have proof of authorization
  • requires an advertisement to include a matching NONCE option in the solicitation.

Get a good firewall. In my data center, I use a Fortinet 800C. At home, I use a Fortinet 60E. If you have malicious users, why? You are better off doing OSPF authentication to route maps to take unauthorized connections to an MPLS network and not allow them into OSPF or your work on your network.