Re: IPv6 Confusion

[Nathan Ward <nanog () daork net>]

On 19/02/2009, at 9:15 AM, Randy Bush wrote:

> > What operational reasons are there for working with RA turned off?
>
> networks with visitors have shown a serious problem with rouge RAs


Networks with visitors have shown a serious problem with rogue DHCP  
servers.
Networks with visitors that use DHCPv6 for address assignment will  
have the exact same problem if someone comes along with a rogue DHCPv6  
server.

You need to push your vendors for features to limit where RA messages  
and DHCPv6 messages can be sent from. Coming up with new ways to solve  
a problem with an already obvious solution (a solution that we have  
for an identical problem in IPv4) sounds like it would take longer to  
solve, and sounds like it would introduce even more confusion in to  
this space.

If your ethernet equipment has the ability to filter on ethernet  
source/destination then you should be able to do this a little bit now.
- Only allow messages to the all routers multicast address to go to  
the switch interfaces that have routers on them.
- Only allow messages to the all DHCPv6 servers multicast address to  
go to the switch interfaces that have DHCPv6 servers or relays on them.

If your ethernet equipment can do IPv6 L4 ACLs then that is even  
better, you can allow RA messages only from routers, and DHCPv6  
responses only from DHCPv6 servers.

Again, this is the same problem we have with DHCP in IPv4. The only  
difference is switch vendor support for filtering these messages.

--
Nathan Ward