[167974] in North American Network Operators' Group
Re: turning on comcast v6
daemon@ATHENA.MIT.EDU (TJ)
Fri Jan 3 01:30:22 2014
In-Reply-To: <52C6432A.3070608@matthew.at>
Date: Fri, 3 Jan 2014 01:30:03 -0500
From: TJ <trejrco@gmail.com>
To: NANOG <nanog@nanog.org>
Reply-To: trejrco@gmail.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I'd argue that while the timing may be different, RA and DHCP attacks are
largely the same and are simply variations on a theme.
And, regardless of the protocol in question, represent attacks which should
be defended against.
As is often (always?) the case, there are tradeoffs - and the pros and cons
of those tradeoffs will be weighted differently by different parties.
/TJ
On Jan 3, 2014 12:00 AM, "Matthew Kaufman" <matthew@matthew.at> wrote:
>
> On 12/30/2013 4:56 PM, Owen DeLong wrote:
>>
>> You can accomplish the same thing in IPv4=85.
>>
>>
>> Plug in Sally=92s PC with Internet Connection Sharing turned on and watc=
h
as her
>> DHCP server takes over your network.
>
>
> Not nearly as fast as bad RAs do (as others have pointed out).
>
>
>>
>> Yes, you have to pay attention when you plug in a router just like you=
=92d
have to pay attention if you plugged in a DHCP server you were getting
ready to recycle.
>
>
> But the ability to plug in a not-router and break things is oh so much
greater.
>
>>
>> Incompetence in execution really isn=92t the protocol=92s fault.
>
>
> But it is the protocol designer's fault... and once shipped, the
protocol's fault. There's all sorts of things that were known at the time
IPv6 was designed that the designers failed to build solutions for. As an
example, routers *could* be a lot smarter about sending RAs on a network
where routers are already present, but that's not in the spec.
>
> Neither the ND DOS attack nor the need to protect against bogus RAs on
every port of your switch but one (or rarely, two) are things that should
have been a post-deployment surprise (to name just a couple pet peeves of
mine... there's more design flaws that could have been easily avoided had
enough people cared to do so).
>
> Matthew Kaufman
>
>
>
