[148027] in North American Network Operators' Group
Re: Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one?
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Fri Dec 30 04:33:02 2011
From: Iljitsch van Beijnum <iljitsch@muada.com>
In-Reply-To: <4EFBA369.8090103@dougbarton.us>
Date: Fri, 30 Dec 2011 10:31:48 +0100
To: Doug Barton <dougb@dougbarton.us>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 29 Dec 2011, at 0:16 , Doug Barton wrote:
> On 12/28/2011 03:13, Iljitsch van Beijnum wrote:
>> However, this has two issues. First, with RAs there are no risks that
>> incorrect default information is propagated because the default
>> gateway itself broadcasts its presence.
> Unless you have a malicious user on the network in which case all
> traffic immediately switches to the malicious user's gateway.
This is a different issue. And although this is / has been common for =
RAs/stateless autoconfig beceause some idiot at Microsoft made this =
happen more or less automatically in some configurations, there really =
is no difference between DHCPv6 and stateless autoconfig here.
What I'm talking about is the issue where a legitimate DHCP server gives =
out an incorrect default gateway addresses because of a configuration =
mistake. Because a DHCP server that isn't also that same router has no =
way of knowing that address this can't be automatically done right so =
mistakes happen. Especially at this point with IPv6 where most people =
don't notice it when it doesn't work most of the time.
> I'm aware that SEND is trying to solve this problem, but it's not
> yet deployed.
SEND is similar to IPsec in this regard, it's not going to be deployed =
widely because it's too complex to do so.
> I think that people already know of and have solutions for the =
security
> issues that exist for DHCP today.
Yes, for IPv4. But this is a filtering issue. If you can filter rogue =
DHCPv6 servers you can also filter rogue RAs.
> 10-12 years ago I attempted to make 2 points to the IPv6 literati. =
First
> that IPv6 would not be widely adopted in the enterprise until it had
> full DHCP parity with v4. Second that the easiest way to do that would
> be to declare all existing DHCPv4 options that are relevant to IPv6 as
> existing in DHCPv6 by fiat, and to prevent new v6-only options from
> using option numbers that already exist for v4 (and vice versa). I was
> laughed out of the room on both counts.
I agree with you that DHCPv6 doesn't deserve any prizes, not for design, =
implementation nor time to market. But I disagree that importing all =
IPv4 cruft into IPv6 for the sake of speeding up deployment that wasn't =
going to happen anyway would have been a good idea then, let alone now.
> The good news is that it's not too late to fix DHCPv6. We're at a
> watershed moment where it's just possible that we'll get the ability =
to
> assign a default gateway added to it due to, for lack of a better =
term,
> market forces. This would be a major paradigm shift. As you point out
> the development lead time on stuff like that is rather painful, =
however
> if we took advantage of the camel's nose under the tent and included
> "everything relevant that DHCPv4 can do" in that update, we'd be in a
> pretty good condition in a year or so.
You are living in a fantasy world if you think that.
