nanog mailing list archives
RE: IPv6 Confusion (back to technical conversation)
From: "TJ" <trejrco () gmail com>
Date: Thu, 19 Feb 2009 06:34:39 -0500
I guess you don't use DHCP in IPv4 then.No, you seem to think the failure mode is the same, and it is not. Let's walk through this: 1) 400 people get on the NANOG wireless network. 2) Mr 31337 comes along and puts up a rogue DHCP server. 3) All 400 people continue working just fine until their lease expires, which is likely after the conference ends. The 10 people who came in late get info from the rogue server, and troubleshooting ensues.
So a delayed failure makes it easier to troubleshoot? I'd rather know right away. Also - I'd rather not make the mistake in the first place ... but life isn't perfect.
Let's try with IPv6. 1) 400 people get on the NANOG wireless network. 2) Mr 31337 sends a rouge RA. 3) 400 people instantly loose network access. The 10 who come in late don't even bother to try and get on. So, with DHCP handing out a default route we have 10/400 down, with RA's we have 410/410 down. Bravo!
Right, so a timing difference is all you are talking about - and the malicious person would probably know his/her limitations, and therefore show up early. Same end result. Also - there are questions over what type of RA was sent (or, more correctly, what type of payload), the timing of the good RAs, etc. BUT, the point is taken - yes, rouge RAs are a problem and there is a solution being developed.
Let me clear up something from the start; this is not security. If security is what you are after none of the solutions proffered so far work. Rather this is robust network design. A working device shouldn't run off and follow a new router in miliseconds like a lost puppy looking for a treat. This actually offers a lot of protection from stupidity though. Ever plug an IPv4 router into the wrong switch port accidently? What happened? Probably nothing; no one on the LAN used the port IP'ed in the wrong subnet. They ignored it. Try that with an IPv6 router. About 10 ms after you plug into the wrong port out goes an RA, the entire subnet ceases to function, and your phone lights up like a christmas tree.
Right ... but you unplug it, NUD flushes and assuming you have your environment set right all is well in short order.
Let me repeat, none of these solutions are secure. The IPv4/DHCP model is ROBUST, the RA/DHCPv6 model is NOT.
I would still disagree. More readily supporting multiple routers seems like a measure of robustness, to me anyway.
Yup, understood. The point I am making is that the solution is still the same - filtering in ethernet devices.
YES!
Perhaps there needs to be something written about detailed requirements for this so that people have something to point their switch/etc. vendors at
when
asking for compliance. I will write this up in the next day or two. I guess IETF is the right forum for publication of that. Is there something like this already that anyone knows of?
YES! http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01 Push vendors for support, please. (For wireless, something like PSPF would work just fine AFAIK ... please correct me if I am wrong!)
Current thread:
- Re: IPv6 Confusion, (continued)
- Re: IPv6 Confusion Leo Bicknell (Feb 18)
- Re: IPv6 Confusion Nathan Ward (Feb 18)
- Re: IPv6 Confusion Mikael Abrahamsson (Feb 18)
- Re: IPv6 Confusion Leo Bicknell (Feb 18)
- Re: IPv6 Confusion Nathan Ward (Feb 18)
- Re: IPv6 Confusion Dale W. Carder (Feb 18)
- Re: IPv6 Confusion Joel Jaeggli (Feb 18)
- Message not available
- Re: IPv6 Confusion Tim Chown (Feb 19)
- Re: IPv6 Confusion Leo Bicknell (Feb 18)
- Re: IPv6 Confusion Nathan Ward (Feb 18)
- RE: IPv6 Confusion (back to technical conversation) TJ (Feb 19)
- Re: IPv6 Confusion Aria Stewart (Feb 18)
- Re: IPv6 Confusion Kevin Loch (Feb 18)
- Re: IPv6 Confusion Leo Bicknell (Feb 18)
- RE: IPv6 Confusion Tony Hain (Feb 18)
- Re: IPv6 Confusion Adrian Chadd (Feb 18)
- Re: IPv6 Confusion Joel Jaeggli (Feb 18)
- Re: IPv6 Confusion Leo Bicknell (Feb 18)
- Re: IPv6 Confusion John Schnizlein (Feb 18)
- RE: IPv6 Confusion Tony Hain (Feb 18)
- Re: IPv6 Confusion Leo Bicknell (Feb 18)