[111623] in North American Network Operators' Group
RE: IPv6 delivery model to end customers
daemon@ATHENA.MIT.EDU (TJ)
Mon Feb 9 13:58:52 2009
From: "TJ" <trejrco@gmail.com>
To: <nanog@nanog.org>
In-Reply-To: <36243D984F88BA4ABD1E0EFC1E61B989652601@fudd.ad.maine.edu>
Date: Mon, 9 Feb 2009 13:58:43 -0500
Errors-To: nanog-bounces@nanog.org
>A big one is a solution to address the security concerns with IPv6 RA
>(Router Advertisement) and rogue DHCPv6. On IPv4 networks we have the
option
>of using DHCP snooping to suppress unauthorized DHCP servers from handing
>out address information. With IPv6, any host can announce itself as a
router
>(using RA) and make network traffic suddenly start making use of it as the
>router for a network. This makes it possible for hosts to inadvertently
>disrupt network service (Vista) or even be used maliciously to perform a
>man-in-the-middle attack to intercept your traffic. Similarly with DHCPv6
>there is nothing stopping a host from trying to hand out stateful IPv6
>address configuration.
>
>Even worse is that since modern hosts give traffic priority to IPv6, it
>becomes easy for a rogue host (Vista) to advertise itself as an IPv6 router
>on IPv4-only networks. So there are security concerns even for networks
that
>do not run IPv6 here.
>
>I think it goes without saying that this needs to be addressed before
>IPv6 can be deployed on most campus networks where users manage their own
>PC's.
>
>So Cisco (and other vendors) needs to introduce two things for LAN
>switching. DHCPv6 snooping, and more importantly, RA suppression (or RA
>snooping).
Indeed, this is a problem.
RA Guard is a very straight-forward, hopefully soon-to-be-widely-supported,
defense.
http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
A "pure layer 3" solution is, of course, SEND/CGA ... where deployment
concerns/problems abound ...
http://tools.ietf.org/html/rfc3971 &
http://tools.ietf.org/html/rfc3972
And as I may have said once or thrice already, YES - I agree these solutions
should have been developed / made deployable long before now.
>As far as IPv6 deployment to residential customers... I say most things
>these days are moving to Metro Ethernet. Give ea. customer a VLAN, that
>will save you a lot of headache and ultimately provide a better experience
>for the customer.
Amen to that ...
