[167976] in North American Network Operators' Group
Re: turning on comcast v6
daemon@ATHENA.MIT.EDU (Doug Barton)
Fri Jan 3 03:41:04 2014
Date: Fri, 03 Jan 2014 00:40:42 -0800
From: Doug Barton <dougb@dougbarton.us>
To: trejrco@gmail.com, NANOG <nanog@nanog.org>
In-Reply-To: <CALOgxGa1-2dEQ_X33eceswTFg7-LT0LymgOSfsfVowuEN9Zr6w@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 01/02/2014 10:30 PM, TJ wrote:
> I'd argue that while the timing may be different, RA and DHCP attacks
> are largely the same and are simply variations on a theme.
Utter nonsense. The ability to nearly-instantly switch traffic for
nearly-all nodes on the network is a very different thing than what a
rogue DHCP server could do, even if you have ridiculously short lease
times, which most don't.
Further, by far the common case is for network gear to _already_ be
configured to avoid permitting hosts to act as DHCP servers unless they
are supposed to be. It's rare to even find a network device that has RA
Guard capabilities, never mind one that has them turned on.
There is simply no good reason not to include default route in the
configuration for DHCPv6, and it's long overdue.
Doug
