nanog mailing list archives
RE: IPv6 delivery model to end customers
From: "Soucy, Ray" <rays () maine edu>
Date: Mon, 9 Feb 2009 09:21:24 -0500
It's scenario 2 I'm worried about, all those machanisms haven't been implemented for IPv6 as far as I know and if you're only doing 2.2-2.5
then you're open to the IPv6 security issue I described.
We've been seeing problems with this for the last year or so (since Vista started showing up). Since we run an academic network, we don't have as much control over hosts as you would see in a corporate setting. We've started poking Cisco about some key IPv6 support that we really need to move forward. A big one is a solution to address the security concerns with IPv6 RA (Router Advertisement) and rogue DHCPv6. On IPv4 networks we have the option of using DHCP snooping to suppress unauthorized DHCP servers from handing out address information. With IPv6, any host can announce itself as a router (using RA) and make network traffic suddenly start making use of it as the router for a network. This makes it possible for hosts to inadvertently disrupt network service (Vista) or even be used maliciously to perform a man-in-the-middle attack to intercept your traffic. Similarly with DHCPv6 there is nothing stopping a host from trying to hand out stateful IPv6 address configuration. Even worse is that since modern hosts give traffic priority to IPv6, it becomes easy for a rogue host (Vista) to advertise itself as an IPv6 router on IPv4-only networks. So there are security concerns even for networks that do not run IPv6 here. I think it goes without saying that this needs to be addressed before IPv6 can be deployed on most campus networks where users manage their own PC's. So Cisco (and other vendors) needs to introduce two things for LAN switching. DHCPv6 snooping, and more importantly, RA suppression (or RA snooping). As far as IPv6 deployment to residential customers... I say most things these days are moving to Metro Ethernet. Give ea. customer a VLAN, that will save you a lot of headache and ultimately provide a better experience for the customer. Ray Soucy Communications Specialist +1 (207) 561-3526 Communications and Network Services University of Maine System http://www.maine.edu/
Current thread:
- IPv6 delivery model to end customers Mikael Abrahamsson (Feb 06)
- Re: IPv6 delivery model to end customers Nathan Ward (Feb 07)
- Re: IPv6 delivery model to end customers Jack Bates (Feb 07)
- RE: IPv6 delivery model to end customers John Lee (Feb 07)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 07)
- RE: IPv6 delivery model to end customers John Lee (Feb 07)
- RE: IPv6 delivery model to end customers Pekka Savola (Feb 09)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 09)
- RE: IPv6 delivery model to end customers Soucy, Ray (Feb 09)
- Re: IPv6 delivery model to end customers Mark Tinka (Feb 09)
- RE: IPv6 delivery model to end customers TJ (Feb 09)
- RE: IPv6 delivery model to end customers TJ (Feb 09)
- RE: IPv6 delivery model to end customers Soucy, Ray (Feb 09)
- RE: IPv6 delivery model to end customers TJ (Feb 09)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 09)
- RE: IPv6 delivery model to end customers TJ (Feb 10)
- Re: IPv6 delivery model to end customers Marshall Eubanks (Feb 10)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 07)
- <Possible follow-ups>
- FW: IPv6 delivery model to end customers Soucy, Ray (Feb 09)