[168037] in North American Network Operators' Group
Re: turning on comcast v6
daemon@ATHENA.MIT.EDU (Ricky Beam)
Mon Jan 6 15:57:22 2014
To: "Owen DeLong" <owen@delong.com>
Date: Mon, 06 Jan 2014 15:57:00 -0500
From: "Ricky Beam" <jfbeam@gmail.com>
In-Reply-To: <EFECE2C9-B2C5-4A21-902E-F6B030D950A3@delong.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, 04 Jan 2014 14:03:21 -0500, Owen DeLong <owen@delong.com> wrote:
> A router, yes. THE router, not unless the network is very stupidly put
> together.
Like every win7 and win8 machine on the planet? (IPv6 is installed and
enabled by default. Few places have IPv6 enabled on their LAN, so a single
RA would, indeed, 0wn3z those machines instantly.)
> I disagree. Unlike with DHCP guard, RA guard can make reasonable
> predictions in most cases. Switches with “uplink” ports designated, for
> example, could easily default to permitting RAs only from those ports.
One cannot **GUESS** the security for a network. You must either *know* or
*not know* what's on a port. What makes a port "uplink" (read:
"trusted")? The only way to know for sure, without creating surprises or
exploitable holes, is make the ADMIN explicitly SET EACH PORT. That's the
way DHCP Guard works. That's the way spanning-tree portfast, bpdu guard,
root guard, etc., etc. works. That's the way port security works. And
that's the way RA Guard WILL be done.
