[118493] in North American Network Operators' Group
Re: {SPAM?} Re: IPv6 Deployment for the LAN
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Thu Oct 22 15:30:07 2009
Date: Thu, 22 Oct 2009 12:29:30 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <7a6830090910221223i7dcc04e4vbada0f9d7d1c1777@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Thu, Oct 22, 2009 at 03:23:13PM -0400, Ray Soucy wr=
ote:
> If the argument against RA being used to provide gateway information
> is "rogue RA," then announcing gateway information though the use of
> DHCPv6 doesn't solve anything. Sure you'll get around rogue RA, but
> you'll still have to deal with rogue DHCPv6. So what is gained?
It's a huge difference, and any conference network shows it.
Let's assume 400 people come into a room, get up and working (with
DHCPv4, and IPv6 RA's). =20
Someone now introduces a rogue IPv4 server. Who breaks? Anyone who
requests a new lease. That is 400 people keep working just fine.
Now, someone introduces a roge RA. Who breaks? All 400 users are
instantly down.
More importantly, there is another class of misconfigured device. I
plugged in a Cisco router to download new code to it on our office
network. It had a DHCP forward statement, and IPv6. It was from
another site.
The DHCP forward didn't work, it pointed to something non-existant that
also was never configured for the local subnet. There was zero chance
of IPv4 interfearance.
The IPv6 network picked up the RA to a router with no routes though, and
so simply plugging in the old router took down the entire office
network.
The operational threats of a DHCP based network and a RA based network
are quite different. Try it on your own network.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--EVF5PPMfhYS0aIcm
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
iQIVAwUBSuCymrN3O8aJIdTMAQJPmA/+JjAZr2+UYj2sOrJbQuQFWznotYda3yoK
UDw0bLLaTEMvmS3nSieKdlz34lty3TZtUXdSmIS418eaaP8CYbVjVC8Z6LtDTCWV
fjN/dWSHC4NPsMOCr0Pohrp8Ag9uTl7mdQ8D1N5IH5yz49qJ9NhLwJD9mq+/RSK4
MVcek1F9+J/KWx1CRjctTrXY1jLfqNoL09ENFmuIxzQAH9FWXetfz60Ti5XYpoSB
do0oEtxL+yApivgeSfmbO7sh2PRS90YlQqy7PEPq7FPy5/L4UWaDGLL2FmXvCjHj
2GwLBtmBh8llBuV18l7ImXWBZGQEG3SXcX1T+j1PUCttUpePbkcfDQc3G/JK/Cst
vzUrRItiZDZT/T5+lTm/yqSH3GOeStoC8MUH0NkeG4o7Umnprg8ihSnlOmscuGVK
YQdMyz/mtHcjUT/XT1k5dgYwe6Y0t4YkLUcSGqdIgSsIZ8T2GKqkotI9nNh7f5qB
6IhHNhynEdW8lqqbrb5LnTqPsTl/LoixCfySYVnLUejy5pptQhwQ5GjvzCTYUkmj
m/fwbcMEmLVBg3yeHOK56NiZmGhpdEeAImy/OtfTSx0W9yR+1uhDvQacQdYC6teq
dsnSe9kLG1qoVtUkc4WB8gWDNMV/54PKcaZyDjE1oAoR7hRXqFcgEb/03HS2WDJ7
WVPlaK1PIuQ=
=CfW1
-----END PGP SIGNATURE-----
--EVF5PPMfhYS0aIcm--
