nanog mailing list archives
Re: {SPAM?} Re: IPv6 Deployment for the LAN
From: Ray Soucy <rps () maine edu>
Date: Thu, 22 Oct 2009 15:42:19 -0400
Sorry, not buying it. The solution here, and one that is already being worked on by vendors, is RA gaurd, not changing DHCPv6 in an effort to bypass RA. What your proposing as a solution isn't much of a solution at all but just a (seemingly) lesser problem. On Thu, Oct 22, 2009 at 3:29 PM, Leo Bicknell <bicknell () ufp org> wrote:
In a message written on Thu, Oct 22, 2009 at 03:23:13PM -0400, Ray Soucy wrote:If the argument against RA being used to provide gateway information is "rogue RA," then announcing gateway information though the use of DHCPv6 doesn't solve anything. Sure you'll get around rogue RA, but you'll still have to deal with rogue DHCPv6. So what is gained?It's a huge difference, and any conference network shows it. Let's assume 400 people come into a room, get up and working (with DHCPv4, and IPv6 RA's). Someone now introduces a rogue IPv4 server. Who breaks? Anyone who requests a new lease. That is 400 people keep working just fine. Now, someone introduces a roge RA. Who breaks? All 400 users are instantly down. More importantly, there is another class of misconfigured device. I plugged in a Cisco router to download new code to it on our office network. It had a DHCP forward statement, and IPv6. It was from another site. The DHCP forward didn't work, it pointed to something non-existant that also was never configured for the local subnet. There was zero chance of IPv4 interfearance. The IPv6 network picked up the RA to a router with no routes though, and so simply plugging in the old router took down the entire office network. The operational threats of a DHCP based network and a RA based network are quite different. Try it on your own network. -- Leo Bicknell - bicknell () ufp org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
-- Ray Soucy Communications Specialist +1 (207) 561-3526 Communications and Network Services University of Maine System http://www.maine.edu/
Current thread:
- Re: IPv6 Deployment for the LAN, (continued)
- Re: IPv6 Deployment for the LAN Kevin Loch (Oct 22)
- Re: IPv6 Deployment for the LAN David Conrad (Oct 22)
- RE: IPv6 Deployment for the LAN Tony Hain (Oct 22)
- Re: IPv6 Deployment for the LAN David Conrad (Oct 22)
- Re: IPv6 Deployment for the LAN Iljitsch van Beijnum (Oct 22)
- Re: IPv6 Deployment for the LAN Adrian Chadd (Oct 22)
- Re: IPv6 Deployment for the LAN Owen DeLong (Oct 22)
- Re: IPv6 Deployment for the LAN sthaug (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Leo Bicknell (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Leo Bicknell (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Chuck Anderson (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN John Payne (Oct 22)
- Re: IPv6 Deployment for the LAN Dan White (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN David W. Hankins (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Perry Lorier (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN David W. Hankins (Oct 23)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Joel Jaeggli (Oct 24)