Re: IPv6 Confusion

[Leo Bicknell <bicknell () ufp org>]

In a message written on Thu, Feb 19, 2009 at 09:44:38AM +1300, Nathan Ward wrote:
> I guess you don't use DHCP in IPv4 then.

No, you seem to think the failure mode is the same, and it is not.

Let's walk through this:

1) 400 people get on the NANOG wireless network.

2) Mr 31337 comes along and puts up a rogue DHCP server.

3) All 400 people continue working just fine until their lease expires,
   which is likely after the conference ends.

   The 10 people who came in late get info from the rogue server, and 
   troubleshooting ensues.

Let's try with IPv6.

1) 400 people get on the NANOG wireless network.

2) Mr 31337 sends a rouge RA.

3) 400 people instantly loose network access.

   The 10 who come in late don't even bother to try and get on.

So, with DHCP handing out a default route we have 10/400 down, with RA's
we have 410/410 down.  Bravo!

Let me clear up something from the start; this is not security.  If
security is what you are after none of the solutions proffered so
far work.  Rather this is robust network design.  A working device
shouldn't run off and follow a new router in miliseconds like a
lost puppy looking for a treat.

This actually offers a lot of protection from stupidity though.  Ever
plug an IPv4 router into the wrong switch port accidently?  What
happened?  Probably nothing; no one on the LAN used the port IP'ed in
the wrong subnet.  They ignored it.

Try that with an IPv6 router.  About 10 ms after you plug into the wrong
port out goes an RA, the entire subnet ceases to function, and your
phone lights up like a christmas tree.

Let me repeat, none of these solutions are secure.  The IPv4/DHCP model
is ROBUST, the RA/DHCPv6 model is NOT.
 
-- 
       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Attachment: _bin
Description: