[168039] in North American Network Operators' Group
Re: turning on comcast v6
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Jan 6 16:13:12 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <op.w899tat5tfhldh@rbeam.xactional.com>
Date: Mon, 6 Jan 2014 13:08:35 -0800
To: Ricky Beam <jfbeam@gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2014, at 12:57 , Ricky Beam <jfbeam@gmail.com> wrote:
> On Sat, 04 Jan 2014 14:03:21 -0500, Owen DeLong <owen@delong.com> =
wrote:
>> A router, yes. THE router, not unless the network is very stupidly =
put together.
>=20
> Like every win7 and win8 machine on the planet? (IPv6 is installed =
and enabled by default. Few places have IPv6 enabled on their LAN, so a =
single RA would, indeed, 0wn3z those machines instantly.)
>=20
The obvious solution to that is to install real IPv6 routers.
>> I disagree. Unlike with DHCP guard, RA guard can make reasonable =
predictions in most cases. Switches with =93uplink=94 ports designated, =
for example, could easily default to permitting RAs only from those =
ports.
>=20
> One cannot **GUESS** the security for a network. You must either =
*know* or *not know* what's on a port. What makes a port "uplink" =
(read: "trusted")? The only way to know for sure, without creating =
surprises or exploitable holes, is make the ADMIN explicitly SET EACH =
PORT. That's the way DHCP Guard works. That's the way spanning-tree =
portfast, bpdu guard, root guard, etc., etc. works. That's the way port =
security works. And that's the way RA Guard WILL be done.
The port isn't particularly trusted, but it is allowed to send RAs which =
are forwarded to the network by default.
Obviously a sane switch would allow this configuration to be changed. =
We're not talking about the security model for a network, we're talking =
about the default behavior of a switch.
Defaults are, inherently guesses to some extent. Nonetheless, a switch =
must have some default behavior.
It seems to me that in the case of switches which have otherwise =
designated uplink ports, it is logical to make those ports default to RA =
allowed while defaulting to not allowing RAs from other ports by =
default.
Owen
