[167994] in North American Network Operators' Group
Re: turning on comcast v6
daemon@ATHENA.MIT.EDU (Owen DeLong)
Fri Jan 3 20:57:57 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <52C6778A.5070309@dougbarton.us>
Date: Fri, 3 Jan 2014 17:52:25 -0800
To: Doug Barton <dougb@dougbarton.us>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 3, 2014, at 12:40 AM, Doug Barton <dougb@dougbarton.us> wrote:
> On 01/02/2014 10:30 PM, TJ wrote:
>> I'd argue that while the timing may be different, RA and DHCP attacks
>> are largely the same and are simply variations on a theme.
>=20
> Utter nonsense. The ability to nearly-instantly switch traffic for =
nearly-all nodes on the network is a very different thing than what a =
rogue DHCP server could do, even if you have ridiculously short lease =
times, which most don=92t
Not entirely true, actually=85 If you=92re willing to work hard enough =
at it, most hosts can be =93encouraged=94 to renew early.
> Further, by far the common case is for network gear to _already_ be =
configured to avoid permitting hosts to act as DHCP servers unless they =
are supposed to be. It's rare to even find a network device that has RA =
Guard capabilities, never mind one that has them turned on.
Well=85 Sure, 15 years after DHCP attacks first started being a serious =
problem=85 I doubt it will take anywhere near 15 years for RA guard on =
by default to be the norm in switches, etc.
> There is simply no good reason not to include default route in the =
configuration for DHCPv6, and it's long overdue.
As I=92ve said before, if we=92re going to bother doing it, we should =
just include RIO options, but otherwise, I agree with you.
Owen
