nanog mailing list archives
Re: IPv6 RA vs DHCPv6 - The chosen one?
From: Tomas Podermanski <tpoder () cis vutbr cz>
Date: Fri, 23 Dec 2011 21:50:12 +0100
Hi, On 12/23/11 9:09 PM, Ray Soucy wrote:
On Fri, Dec 23, 2011 at 2:51 PM, Tomas Podermanski <tpoder () cis vutbr cz> wrote:That is true, but we know solution for IPv4 (DHCP snooping, ARP protection, source address validation) and there are access switches on the market having that security features. Switches supporting such features for IPv6 are usually much more expensive. And there is another problem. Although you have money for that hardware it does not protect you against malicious attacks.Yes, and over time similar Layer-2 security features will become available for IPv6 by default. The more people who work to deploy IPv6 and express these concerns to vendors, the more likely vendors are to give them priority. RA Guard is one such example where vendors have responded to community concerns and have begun to implement the functionality. All these problems exist for IPv4, and I would go as far as to say that the vast majority of networks don't even implement things like ARP inpsection, DHCP snooping, IP source verification, UUFB, etc. They're things that dramatically increase network stability, and things that are used by those of us who run larger networks, but they are certainly not typical by any measure.
I agree with you, that is not typical for many networks. For example in our network we have enabled some of that features (not all) only in some subnets. Unfortunately those subnets connects over 70% of our users (6500). Is also great that many produces are going to take that issues seriously. Actually we have quite big concerns with decision if: 1. to buy cheaper access switches (like HP 42xx) that have security features for IPv4 but will never have support for IPv6. The hardware does not support IPv6 at all. In that case we will be able to replace access switches in quite short time - one year. And in next five years we will be buy a brand new generation of switches that will have all those problems solved (I hope). or 2. to buy much more expensive switches (like HP 54xx) that supports some basic security features for IPv6 and there is some a probability that other features will be implemented. So we will be able to use ra-guard and ACLs immediately. In that case there is still a chance that some features will not be implemented due to hardware limits. So we will have to buy new generation of switches again in five years. Tomas
Current thread:
- Re: IPv6 RA vs DHCPv6 - The chosen one?, (continued)
- Re: IPv6 RA vs DHCPv6 - The chosen one? William Herrin (Dec 21)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Michael Sinatra (Dec 21)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Tomas Podermanski (Dec 22)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Mohacsi Janos (Dec 22)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Michael Sinatra (Dec 23)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Tomas Podermanski (Dec 22)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Valdis . Kletnieks (Dec 22)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Mohacsi Janos (Dec 22)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Tomas Podermanski (Dec 23)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Ray Soucy (Dec 23)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Tomas Podermanski (Dec 23)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Mohacsi Janos (Dec 23)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Jeff Wheeler (Dec 23)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Mohacsi Janos (Dec 23)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Ray Soucy (Dec 22)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Tomas Podermanski (Dec 27)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Ray Soucy (Dec 27)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Tomas Podermanski (Dec 27)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Valdis . Kletnieks (Dec 27)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Mark Tinka (Dec 27)
- Re: IPv6 RA vs DHCPv6 - The chosen one? Seth Mos (Dec 21)