[141946] in North American Network Operators' Group
Re: The stupidity of trying to "fix" DHCPv6
daemon@ATHENA.MIT.EDU (Ben Jencks)
Tue Jun 14 17:01:34 2011
From: Ben Jencks <ben@bjencks.net>
In-Reply-To: <20110614202513.GA49062@ussenterprise.ufp.org>
Date: Tue, 14 Jun 2011 17:01:24 -0400
To: Leo Bicknell <bicknell@ufp.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 14, 2011, at 4:25 PM, Leo Bicknell wrote:
> In a message written on Tue, Jun 14, 2011 at 02:00:35PM -0400, Ben =
Jencks wrote:
>> This has always confused me. What aspect of host configuration is the =
router providing that's so problematic? The prefix, which has to match =
on the router and host in order for anything to work anyway? The =
indication to go use DHCPv6, which doesn't really add anything since you =
need to configure a DHCPv6 proxy anyway? There's just so little =
information in an RA, and the router needs to know it all anyway, that =
I'm having trouble understanding what environment would find this so =
horrifying.
> [snipped long explanation that you do in fact need DNS servers]
>=20
> So just like in IPv4, IPv6 requires DHCP to have a functioning end =
user
> box. DHCP remains a hard requirement. The odd part now is that in =
IPv4
> DHCP carries the default gateway, while in IPv6 land you must also run
> Router Advertisements on your router and have the host listen to them.
>=20
> The industry has taken a robust single protocol solution and turned it
> into a dual, co-dependent protocol situation.
I'm just not seeing how this actually adds more configuration overhead. =
Rather than looking at a protocol count, try looking at the number of =
actual items you need to configure and where they get configured. This =
is actually *smaller* in IPv6, because the DHCPv6 server doesn't need to =
know what the default gateways are anymore (I have no problem with a =
routing information option, but that's optional, not *needed*). The fact =
that the information is distributed over different protocols seems to =
make a lot of people really pissed off, but seems ancillary to the =
actual issues of what information is configured where and what options =
are available.
>=20
> The IETF is working on one solution, which is to add DNS information =
to
> the RA's! So now you'll configure your routers to hand out DNS =
servers
> to clients, and then everything else (NTP servers, Domain Controllers,
> etc) in DHCP!
I agree, that's never seemed like a good idea.
> What I and others are suggesting is the other way around, how about we
> just put a default route in DHCPv6 like we did in v4, and forget all
> about RA's so we're back to a single protocol solution?
>=20
> Beyond that it is important to notice that the failure modes and =
attack
> vectors for RA's and DHCP are different. I argue DHCP is "better", =
but
> I also realize that's a very subjective judgment. That said, there
> are cases where people may prefer DHCP's robustness and/or failure
> modes, and cases where people might prefer RA's.
There are differences in failure modes, but I'd argue that's not enough =
justification to fragment the configuration options. If there are two =
overlapping ways to configure things, then I'd bet that all but the most =
mainstream or high-end implementations will have poor support for at =
least one. That was the one you chose? Too bad, you have to support both =
now. So much for the "operator choice" you keep arguing for.
> Lastly, there's a hidden bit here many people haven't dealt with
> yet in lab networks. In IPv4 critical environments it's typical
> to use HSRP or VRRP to provide a single gateway across two routers.
> The IPv6 way to do this is to have both advertise RA's, possibly
> with different priorities.
Erm, I thought the IPv6 way to do it was to use IPv6 VRRP... I've heard =
of some vendor bugs on it, but it's implemented.
Multiple routers sending RAs can be useful, but not for the same kind of =
HA that VRRP is designed for.
-Ben=
