[167842] in North American Network Operators' Group
Re: turning on comcast v6
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Mon Dec 30 20:16:37 2013
From: Leo Bicknell <bicknell@ufp.org>
In-Reply-To: <178A1408-7966-4EB6-8A84-17E563F35508@delong.com>
Date: Mon, 30 Dec 2013 19:16:04 -0600
To: Owen DeLong <owen@delong.com>
Cc: Jamie Bowden <jamie@photon.com>,
North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_BA78D165-D6BB-4A83-8CA8-14A99C2994EC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
On Dec 30, 2013, at 6:56 PM, Owen DeLong <owen@delong.com> wrote:
> You can accomplish the same thing in IPv4=85.
>=20
> Plug in Sally=92s PC with Internet Connection Sharing turned on and =
watch as her
> DHCP server takes over your network.
No, the failure mode is still different.
With IPv6 RA's, the rouge router breaks all hosts on the LAN with a =
single broadcast.
With a rogue DHCP server no currently working clients will stop working. =
In fact many will do directed renews, and never notice said rogue =
server. It is only a freshly booted host that might be captured by a =
rogue DHCP server.
In a corporate environment the difference between one user getting a =
rogue DHCP server, being down, and asking for troubleshooting, and =
taking out an entire department/floor/office is enormous.
> Yes, you have to pay attention when you plug in a router just like =
you=92d have to pay attention if you plugged in a DHCP server you were =
getting ready to recycle.
>=20
> Incompetence in execution really isn=92t the protocol=92s fault.
We can't work around incompetent admins. Even the best humans goof from =
time to time.
What we can do is design protocols that are robust, or not in the face =
of stupidity and accident.
I should tell you about the time rogue RA's took down a data center =
network because in the middle of the night the tech I was talking to =
couldn't tell if I said port "fifteen" or port "fifty" over the phone, =
and thus plugged the router into the wrong network taking down several =
hundred hosts. The IPv4 side was fine for the 30 seconds or so until we =
straightened it out.
There's a reason why there's huge efforts to put RA guard in switches, =
and do cryptographic RA's. These are two admissions that the status quo =
does not work for many folks, but for some reason these two solutions =
get pushed over a simple DHCP router assignment option.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--Apple-Mail=_BA78D165-D6BB-4A83-8CA8-14A99C2994EC
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
iQIVAwUBUsIa1LN3O8aJIdTMAQIlkhAAiTmq/2zsg3psg0lNSAPuuEOwTBbfDQvb
ketSYyN+DxWHaOqX+PE8UXeA5FPorvIRjAIKt29bx2HefGXvD4P0N+Q81uOUds8b
MAKoNQ1A5s3lyhy9ToGybObuuqPu2/RI9njY/9usBXQpghQ+nk7fhHgKDYt+AEPK
jTcjyokfvk2zp9Oz64ltsMwk6VKzcRuQPeofJP/Ij35DhFOkNmjS7k+7zPSLM5ph
KPp03yIBjVRLKm9Tqnrnw0x9oBbjeOr89HXwNJX+kLcmJiIDxHKK4Rlg8Xfp4d5U
NUyBOvTFkfb3jxy8zoZgSqXA8iCIBtZOLw1KrSgMVuiU6T2WCHToAENEMnXTSyn5
KMsL0l9JCMV40YaiVmVohOEUEHM5WRQv7RKVZc5rpKvqhpm/fvllXpjrOQhcK5mw
rJZR+0iPPtROwttDsC0ONX6EDgkgIKSeRYP9fWfR+JZ4y+xsmuM1BOyH0Okvfonb
fJdQNrbQYoVNb6beDqmo+4ZB0KzGQJHr+5e102RK+j5qLkFfvD69UdysAAm6Nact
v2WHv0VVU7xAfJtuPsoTcqJHbZzXo4sYXKylBGeRghE+0jCQ3M/yuyIvay66axrM
8nhrPh1CMBmvYyTzyE/qKoBOfyGRjWsCPwe8DsA8iPvZHoqWQQQBSNboTPpOA+9s
QmYV/QepGAo=
=spjL
-----END PGP SIGNATURE-----
--Apple-Mail=_BA78D165-D6BB-4A83-8CA8-14A99C2994EC--
