[101278] in North American Network Operators' Group
Re: v6 subnet size for DSL & leased line customers
daemon@ATHENA.MIT.EDU (Tony Li)
Wed Dec 26 13:23:38 2007
In-Reply-To: <20071226162602.GB57794@ussenterprise.ufp.org>
Cc: North American Network Operators Group <nanog@merit.edu>
From: Tony Li <tony.li@tony.li>
Date: Wed, 26 Dec 2007 10:22:07 -0800
To: Leo Bicknell <bicknell@ufp.org>
Errors-To: owner-nanog@merit.edu
On Dec 26, 2007, at 8:26 AM, Leo Bicknell wrote:
> In a message written on Tue, Dec 25, 2007 at 12:43:45AM -0500,
> Kevin Loch wrote:
>> RA is a shotgun. All hosts on a segment get the same gateway. I
>> have
>> no idea what a host on multiple segments with different gateways
>> would
>> do. Hosting environments can get complex thanks to customer
>
> I would like to point out that in IPv4 we have ICMP Router
> Advertisement messages. I have never seen them used on a production
> network. I know one of the worries is security, that a compromised
> host
> could send out advertisements, drawing traffic to it that it can then
> snoop and pass on to the real gateway.
>
> Having not looked in great detail, I am unclear if IPv6 has done
> something to fix this concern or not.
>
> Is this feature going to get turned off when the first worm comes
> along
> that spoofs RA's
>
It's unlikely that it will matter. In practice, ICMP router
discovery died a long time ago, thanks to neglect. Host vendors
didn't adopt it, and it languished. The problem eventually got
solved with HSRP and its clone, VRRP.
This doesn't resolve the real underlying problem: Ethernet is
inherently insecure. MAC addresses can be forged, protocols (ARP,
ND) can be forged and at this point, there's not much that we can do
about it. Architecturally, we need authentication over each and
every control plane packet sent. Getting there without invoking the
full complexity of a public key infrastructure is still an unsolved
problem, AFAIK.
Tony
