nanog mailing list archives
RE: IPv6 delivery model to end customers
From: "TJ" <trejrco () gmail com>
Date: Mon, 9 Feb 2009 13:58:43 -0500
A big one is a solution to address the security concerns with IPv6 RA (Router Advertisement) and rogue DHCPv6. On IPv4 networks we have the
option
of using DHCP snooping to suppress unauthorized DHCP servers from handing out address information. With IPv6, any host can announce itself as a
router
(using RA) and make network traffic suddenly start making use of it as the router for a network. This makes it possible for hosts to inadvertently disrupt network service (Vista) or even be used maliciously to perform a man-in-the-middle attack to intercept your traffic. Similarly with DHCPv6 there is nothing stopping a host from trying to hand out stateful IPv6 address configuration. Even worse is that since modern hosts give traffic priority to IPv6, it becomes easy for a rogue host (Vista) to advertise itself as an IPv6 router on IPv4-only networks. So there are security concerns even for networks
that
do not run IPv6 here. I think it goes without saying that this needs to be addressed before IPv6 can be deployed on most campus networks where users manage their own PC's. So Cisco (and other vendors) needs to introduce two things for LAN switching. DHCPv6 snooping, and more importantly, RA suppression (or RA snooping).
Indeed, this is a problem. RA Guard is a very straight-forward, hopefully soon-to-be-widely-supported, defense. http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01 A "pure layer 3" solution is, of course, SEND/CGA ... where deployment concerns/problems abound ... http://tools.ietf.org/html/rfc3971 & http://tools.ietf.org/html/rfc3972 And as I may have said once or thrice already, YES - I agree these solutions should have been developed / made deployable long before now.
As far as IPv6 deployment to residential customers... I say most things these days are moving to Metro Ethernet. Give ea. customer a VLAN, that will save you a lot of headache and ultimately provide a better experience for the customer.
Amen to that ...
Current thread:
- Re: IPv6 delivery model to end customers, (continued)
- Re: IPv6 delivery model to end customers Nathan Ward (Feb 07)
- Re: IPv6 delivery model to end customers Jack Bates (Feb 07)
- RE: IPv6 delivery model to end customers John Lee (Feb 07)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 07)
- RE: IPv6 delivery model to end customers John Lee (Feb 07)
- RE: IPv6 delivery model to end customers Pekka Savola (Feb 09)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 09)
- RE: IPv6 delivery model to end customers Soucy, Ray (Feb 09)
- Re: IPv6 delivery model to end customers Mark Tinka (Feb 09)
- RE: IPv6 delivery model to end customers TJ (Feb 09)
- RE: IPv6 delivery model to end customers TJ (Feb 09)
- RE: IPv6 delivery model to end customers Soucy, Ray (Feb 09)
- RE: IPv6 delivery model to end customers TJ (Feb 09)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 09)
- RE: IPv6 delivery model to end customers TJ (Feb 10)
- Re: IPv6 delivery model to end customers Marshall Eubanks (Feb 10)
- RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 07)
- Re: FW: IPv6 delivery model to end customers Mark Tinka (Feb 09)