[167995] in North American Network Operators' Group
Re: turning on comcast v6
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Fri Jan 3 21:27:37 2014
Date: Fri, 03 Jan 2014 18:27:05 -0800
From: Paul Ferguson <fergdawgster@mykolab.com>
To: Owen DeLong <owen@delong.com>, Doug Barton <dougb@dougbarton.us>
In-Reply-To: <9D39E329-B2C3-4F53-ABD9-19C3D3D83539@delong.com>
Cc: NANOG <nanog@nanog.org>
Reply-To: fergdawgster@mykolab.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
What DHCP attacks?
Humor me... What DHCP "attacks"?
- ferg
On 1/3/2014 5:52 PM, Owen DeLong wrote:
>
> On Jan 3, 2014, at 12:40 AM, Doug Barton <dougb@dougbarton.us> wrote:
>
>> On 01/02/2014 10:30 PM, TJ wrote:
>>> I'd argue that while the timing may be different, RA and DHCP attacks
>>> are largely the same and are simply variations on a theme.
>>
>> Utter nonsense. The ability to nearly-instantly switch traffic for nearly-all nodes on the network is a very different thing than what a rogue DHCP server could do, even if you have ridiculously short lease times, which most don’t
>
> Not entirely true, actually… If you’re willing to work hard enough at it, most hosts can be “encouraged” to renew early.
>
>> Further, by far the common case is for network gear to _already_ be configured to avoid permitting hosts to act as DHCP servers unless they are supposed to be. It's rare to even find a network device that has RA Guard capabilities, never mind one that has them turned on.
>
> Well… Sure, 15 years after DHCP attacks first started being a serious problem… I doubt it will take anywhere near 15 years for RA guard on by default to be the norm in switches, etc.
>
>> There is simply no good reason not to include default route in the configuration for DHCPv6, and it's long overdue.
>
> As I’ve said before, if we’re going to bother doing it, we should just include RIO options, but otherwise, I agree with you.
>
> Owen
>
>
>
>
--
Paul Ferguson
PGP Public Key ID: 0x63546533
