RE: IPv6 Confusion (back to technical conversation)

["TJ" <trejrco () gmail com>]

> > > I guess you don't use DHCP in IPv4 then.
> > No, you seem to think the failure mode is the same, and it is not.
> > Let's walk through this:
> > 1) 400 people get on the NANOG wireless network.
> > 2) Mr 31337 comes along and puts up a rogue DHCP server.
> > 3) All 400 people continue working just fine until their lease expires,
> >   which is likely after the conference ends. The 10 people who came in 
> >   late get info from the rogue server, and troubleshooting ensues.

So a delayed failure makes it easier to troubleshoot?
I'd rather know right away.
Also - I'd rather not make the mistake in the first place ... but life isn't
perfect.


> > Let's try with IPv6.
> > 1) 400 people get on the NANOG wireless network.
> > 2) Mr 31337 sends a rouge RA.
> > 3) 400 people instantly loose network access.
> >   The 10 who come in late don't even bother to try and get on.
> > So, with DHCP handing out a default route we have 10/400 down, with
> > RA's we have 410/410 down.  Bravo!

Right, so a timing difference is all you are talking about - and the
malicious person would probably know his/her limitations, and therefore show
up early.  Same end result.
Also - there are questions over what type of RA was sent (or, more
correctly, what type of payload), the timing of the good RAs, etc.
BUT, the point is taken - yes, rouge RAs are a problem and there is a
solution being developed.


> > Let me clear up something from the start; this is not security.  If
> > security is what you are after none of the solutions proffered so far
> > work.  Rather this is robust network design.  A working device
> > shouldn't run off and follow a new router in miliseconds like a lost
> > puppy looking for a treat.
> >
> > This actually offers a lot of protection from stupidity though.  Ever
> > plug an IPv4 router into the wrong switch port accidently?  What
> > happened?  Probably nothing; no one on the LAN used the port IP'ed in
> > the wrong subnet.  They ignored it.
> >
> > Try that with an IPv6 router.  About 10 ms after you plug into the
> > wrong port out goes an RA, the entire subnet ceases to function, and
> > your phone lights up like a christmas tree.

Right ... but you unplug it, NUD flushes and assuming you have your
environment set right all is well in short order.


> > Let me repeat, none of these solutions are secure.  The IPv4/DHCP
> > model is ROBUST, the RA/DHCPv6 model is NOT.

I would still disagree.  More readily supporting multiple routers seems like
a measure of robustness, to me anyway.


> Yup, understood.
> The point I am making is that the solution is still the same - filtering in
> ethernet devices.

YES!


> Perhaps there needs to be something written about detailed requirements for
> this so that people have something to point their switch/etc. vendors at
when
> asking for compliance. I will write this up in the next day or two. I guess
> IETF is the right forum for publication of that.
>
> Is there something like this already that anyone knows of?

YES!
http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
Push vendors for support, please.

(For wireless, something like PSPF would work just fine AFAIK ... please
correct me if I am wrong!)