[152269] in North American Network Operators' Group
Re: Automatic IPv6 due to broadcast
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Apr 23 03:29:41 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAAAwwbWD3OpL8=M0=ndf3nm7F8CGhgoQHoOHeapEwUbPxFfgdQ@mail.gmail.com>
Date: Mon, 23 Apr 2012 00:24:53 -0700
To: Jimmy Hess <mysidia@gmail.com>
Cc: NANOG Mailing List <nanog@nanog.org>, carlos@lacnic.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
> On 4/22/12, Grant Ridder <shortdudey123@gmail.com> wrote:
>=20
>> Most switches nowadays have dhcpv4 detection that can be enabled for =
port
>=20
> Yes. Many L2 switches have DHCPv4 "Snooping", where some port(s) can
> be so designated as trusted DHCP server ports, for certain Virtual
> LANs; and dhcp messages can be detected and suppressed from
> unauthorized edge ports. =20
Sounds suspiciously like IPv6 RA Guard, no?
> Particularly good L2 switches also have
> DAI or "IP Source guard" IPv4 functions, which when properly
> enabled, can foil certain L2 ARP and IPv4 source address spoofing
> attacks, respectively.
>=20
> e.g. Source IP address of packet does not match one of the DHCP leases
> issued to that port -- then drop the packet.
>=20
Meh... I can see many cases where that might be more of a bug than =
feature.
Especially in environments where loops may be possible and the DHCP =
lease might
have come over a different path than the port in question during some =
network event.
>=20
> As for IPv6; rfc6105; you have
> ipv6 nd raguard
>=20
> and IOS NDP inspection.
>=20
> However, there are caveats that should be noted. RA guard
> implementations can be trivially fooled by the use of crafted packets.
>=20
Frankly, I suggest dropping any RA that doesn't fit in a single packet =
as a simple solution to the crafted-packet issue. (The crafted packet =
attacks by and large depend on crafting it so that there are enough =
extension headers to put the RA header in the second or later fragment).
> These are potentially good protections against accidental
> configuration errors, but not malicious attack from a general purpose
> computer.
If you have a malicious attack from a general purpose computer on your =
own LAN, you've already lost on multiple levels to some extent or other.
The most effective solution at that point is to identify, locate, and =
excise said attacker.
>=20
>=20
> Currently, IPv4 seems to win at L2 easily in regards to the level of
> hardware security features commonly available on L2 switches that
> pertain to IP.
>=20
There was a time when one probably could have argued that Novell beat IP =
on that basis alone.
IPv4 loses when you consider that there are more than 3.2 billion people =
in the world. That people likely will need a minimum of 5 IP addresses =
each. That we also need to number infrastructure, routers, servers, =
sensor grids, etc.
IPv4 also loses when you consider the pervasiveness of debilitated IPv4 =
internetworking in favor of address conservation over the last 20 years.
Owen
>=20
>=20
>> -Grant
> --
> -JH
