[118494] in North American Network Operators' Group
Re: {SPAM?} Re: IPv6 Deployment for the LAN
daemon@ATHENA.MIT.EDU (Ray Soucy)
Thu Oct 22 15:43:12 2009
In-Reply-To: <20091022192930.GA16755@ussenterprise.ufp.org>
Date: Thu, 22 Oct 2009 15:42:19 -0400
From: Ray Soucy <rps@maine.edu>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Sorry, not buying it.
The solution here, and one that is already being worked on by vendors,
is RA gaurd, not changing DHCPv6 in an effort to bypass RA.
What your proposing as a solution isn't much of a solution at all but
just a (seemingly) lesser problem.
On Thu, Oct 22, 2009 at 3:29 PM, Leo Bicknell <bicknell@ufp.org> wrote:
> In a message written on Thu, Oct 22, 2009 at 03:23:13PM -0400, Ray Soucy =
wrote:
>> If the argument against RA being used to provide gateway information
>> is "rogue RA," then announcing gateway information though the use of
>> DHCPv6 doesn't solve anything. =A0Sure you'll get around rogue RA, but
>> you'll still have to deal with rogue DHCPv6. =A0So what is gained?
>
> It's a huge difference, and any conference network shows it.
>
> Let's assume 400 people come into a room, get up and working (with
> DHCPv4, and IPv6 RA's).
>
> Someone now introduces a rogue IPv4 server. =A0Who breaks? =A0Anyone who
> requests a new lease. =A0That is 400 people keep working just fine.
>
> Now, someone introduces a roge RA. =A0Who breaks? =A0All 400 users are
> instantly down.
>
> More importantly, there is another class of misconfigured device. =A0I
> plugged in a Cisco router to download new code to it on our office
> network. =A0It had a DHCP forward statement, and IPv6. =A0It was from
> another site.
>
> The DHCP forward didn't work, it pointed to something non-existant that
> also was never configured for the local subnet. =A0There was zero chance
> of IPv4 interfearance.
>
> The IPv6 network picked up the RA to a router with no routes though, and
> so simply plugging in the old router took down the entire office
> network.
>
> The operational threats of a DHCP based network and a RA based network
> are quite different. =A0Try it on your own network.
>
> --
> =A0 =A0 =A0 Leo Bicknell - bicknell@ufp.org - CCIE 3440
> =A0 =A0 =A0 =A0PGP keys at http://www.ufp.org/~bicknell/
>
--=20
Ray Soucy
Communications Specialist
+1 (207) 561-3526
Communications and Network Services
University of Maine System
http://www.maine.edu/
