[141954] in North American Network Operators' Group
Re: The stupidity of trying to "fix" DHCPv6
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Jun 14 18:11:09 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <BANLkTim1pmVXvfN4HVpRzjkKJ18o-A4hi5=yvZBi+Z9LUzFCOQ@mail.gmail.com>
Date: Tue, 14 Jun 2011 15:08:30 -0700
To: Ray Soucy <rps@maine.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 14, 2011, at 11:14 AM, Ray Soucy wrote:
>> On Jun 14, 2011, at 1:41 PM, Owen DeLong wrote:
>> What is needed is:
>>=20
>> - Native RA Guard in switches
>> - Native DHCPv6 Snooping in switches
>> - Native RA Guard in WAPs
>> - Native DHCPv6 Snooping in WAPs
>> - Additional options to DHCPv6 for Routing Information
>> - Eventual changes to host DHCPv6 Client behavior so that
>> DHCP does occur when RA not present.
>=20
> Agree 100%
>=20
> Especially with the last one; DHCPv6 clients shouldn't even be started
> unless they see the M flag set; but that's an implementation
> challenge.
That's the current broken behavior. The goal is to correct that problem.
>=20
> Would probably include something analogous to ARP inspection for
> neighbor discovery; and that router implementations are modified so
> that once full, the neighbor table won't throw out known associations
> in favor of unknown associations to mitigate the denial of service
> attack vector present when using 64-bit prefixes. Perhaps DAD
> flooding protection too. It's a "new" protocol, so it will take a
> while for all these things to be worked out and become standard.
>=20
That would also likely be good, but, I don't think that requires IETF =
effort.
> On Tue, Jun 14, 2011 at 2:00 PM, Ben Jencks <ben@bjencks.net> wrote:
>=20
>> This has always confused me. What aspect of host configuration is the =
router providing that's so
>> problematic? The prefix, which has to match on the router and host in =
order for anything to work
>> anyway? The indication to go use DHCPv6, which doesn't really add =
anything since you need to
>> configure a DHCPv6 proxy anyway? There's just so little information =
in an RA, and the router needs to
>> know it all anyway, that I'm having trouble understanding what =
environment would find this so
>> horrifying.
>=20
> And This.
>=20
> Really, people make way too big a deal about RA, and I think most of
> it comes from the lack of vendor support for filtering of rouge RA and
> the fact that Windows ICS happily sends them out.
>=20
No, that is not the only place it comes from. There are real world =
networks
that don't have a good solution with RA because RA assumes that =
link=3D=3Dsubnet
and that simply isn't true in all cases.
> I still blame vendors; this design has been known for a long time now
> and they still haven't come up to speed, in part because people spend
> their time complaining on NANOG instead of to their sales rep.
>=20
Believe me, I've done both.
Owen
> --=20
> Ray Soucy
>=20
> Epic Communications Specialist
>=20
> Phone: +1 (207) 561-3526
>=20
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/
