IPv6 Confusion

Nathan Ward nanog at daork.net
Wed Feb 18 21:00:48 UTC 2009 

On 19/02/2009, at 9:53 AM, Leo Bicknell wrote:

> In a message written on Thu, Feb 19, 2009 at 09:44:38AM +1300,  
> Nathan Ward wrote:
>> I guess you don't use DHCP in IPv4 then.
>
> No, you seem to think the failure mode is the same, and it is not.
>
> Let's walk through this:
>
> 1) 400 people get on the NANOG wireless network.
>
> 2) Mr 31337 comes along and puts up a rogue DHCP server.
>
> 3) All 400 people continue working just fine until their lease  
> expires,
>   which is likely after the conference ends.
>
>   The 10 people who came in late get info from the rogue server, and
>   troubleshooting ensues.
>
> Let's try with IPv6.
>
> 1) 400 people get on the NANOG wireless network.
>
> 2) Mr 31337 sends a rouge RA.
>
> 3) 400 people instantly loose network access.
>
>   The 10 who come in late don't even bother to try and get on.
>
> So, with DHCP handing out a default route we have 10/400 down, with  
> RA's
> we have 410/410 down.  Bravo!
>
> Let me clear up something from the start; this is not security.  If
> security is what you are after none of the solutions proffered so
> far work.  Rather this is robust network design.  A working device
> shouldn't run off and follow a new router in miliseconds like a
> lost puppy looking for a treat.
>
> This actually offers a lot of protection from stupidity though.  Ever
> plug an IPv4 router into the wrong switch port accidently?  What
> happened?  Probably nothing; no one on the LAN used the port IP'ed in
> the wrong subnet.  They ignored it.
>
> Try that with an IPv6 router.  About 10 ms after you plug into the  
> wrong
> port out goes an RA, the entire subnet ceases to function, and your
> phone lights up like a christmas tree.
>
> Let me repeat, none of these solutions are secure.  The IPv4/DHCP  
> model
> is ROBUST, the RA/DHCPv6 model is NOT.


Yup, understood.

The point I am making is that the solution is still the same -  
filtering in ethernet devices.

Perhaps there needs to be something written about detailed  
requirements for this so that people have something to point their  
switch/etc. vendors at when asking for compliance. I will write this  
up in the next day or two. I guess IETF is the right forum for  
publication of that.

Is there something like this already that anyone knows of?

--
Nathan Ward

More information about the NANOG mailing list