nanog mailing list archives
Re: {SPAM?} Re: IPv6 Deployment for the LAN
From: Chuck Anderson <cra () WPI EDU>
Date: Thu, 22 Oct 2009 16:06:48 -0400
On Thu, Oct 22, 2009 at 03:57:40PM -0400, Ray Soucy wrote:
Really. How do we deal with rouge DHCP on the wireless LAN, obviously this is such a complex issue that we couldn't possibly have a solution that could be applied to RA.
Rogue DHCP doesn't immedately take down the entire subnet of machines with existing DHCP leases. It generally only affects new machines trying to get a lease, or RENEWing machines. The impact of a rogue RA is to immediately break connectivity for every machine on the subnet. Differing impacts leads to different risk assessments of which protocol to use. Regardless, modern wireless deployments use central controllers or smart APs that can filter DHCP. They could be extended to filter RA as well. And this whole point is rather moot because we have RAs and must deal with them. It is too late to get rid of the RA behavior of clients. Even if you don't want to use RAs, your hosts are going to still listen to them which means a Rogue RA is going to take down your network. We have this problem even on IPv4-only subnets, where a Rogue RA (usually a Windows box with routing turned on) breaks connectivity to dual-stack servers for machines on that subnet. Since the hosts prefer native IPv6 connectivity over IPv4, the hosts end up preferring the Rogue RA as the route towards the dual-stack server. We really just need to bug our vendors to implement Rogue RA protection for wired and wireless ASAP, wherever we are in our deployment of IPv6.
Current thread:
- Re: IPv6 Deployment for the LAN, (continued)
- Re: IPv6 Deployment for the LAN David Conrad (Oct 22)
- Re: IPv6 Deployment for the LAN Iljitsch van Beijnum (Oct 22)
- Re: IPv6 Deployment for the LAN Adrian Chadd (Oct 22)
- Re: IPv6 Deployment for the LAN Owen DeLong (Oct 22)
- Re: IPv6 Deployment for the LAN sthaug (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Leo Bicknell (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Leo Bicknell (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Chuck Anderson (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN John Payne (Oct 22)
- Re: IPv6 Deployment for the LAN Dan White (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN David W. Hankins (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Perry Lorier (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN David W. Hankins (Oct 23)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Joel Jaeggli (Oct 24)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Karl Auer (Oct 24)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Mark Smith (Oct 25)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Scott Morris (Oct 25)