IPv6 Confusion
Nathan Ward
nanog at daork.net
Wed Feb 18 21:00:48 UTC 2009
On 19/02/2009, at 9:53 AM, Leo Bicknell wrote:
> In a message written on Thu, Feb 19, 2009 at 09:44:38AM +1300,
> Nathan Ward wrote:
>> I guess you don't use DHCP in IPv4 then.
>
> No, you seem to think the failure mode is the same, and it is not.
>
> Let's walk through this:
>
> 1) 400 people get on the NANOG wireless network.
>
> 2) Mr 31337 comes along and puts up a rogue DHCP server.
>
> 3) All 400 people continue working just fine until their lease
> expires,
> which is likely after the conference ends.
>
> The 10 people who came in late get info from the rogue server, and
> troubleshooting ensues.
>
> Let's try with IPv6.
>
> 1) 400 people get on the NANOG wireless network.
>
> 2) Mr 31337 sends a rouge RA.
>
> 3) 400 people instantly loose network access.
>
> The 10 who come in late don't even bother to try and get on.
>
> So, with DHCP handing out a default route we have 10/400 down, with
> RA's
> we have 410/410 down. Bravo!
>
> Let me clear up something from the start; this is not security. If
> security is what you are after none of the solutions proffered so
> far work. Rather this is robust network design. A working device
> shouldn't run off and follow a new router in miliseconds like a
> lost puppy looking for a treat.
>
> This actually offers a lot of protection from stupidity though. Ever
> plug an IPv4 router into the wrong switch port accidently? What
> happened? Probably nothing; no one on the LAN used the port IP'ed in
> the wrong subnet. They ignored it.
>
> Try that with an IPv6 router. About 10 ms after you plug into the
> wrong
> port out goes an RA, the entire subnet ceases to function, and your
> phone lights up like a christmas tree.
>
> Let me repeat, none of these solutions are secure. The IPv4/DHCP
> model
> is ROBUST, the RA/DHCPv6 model is NOT.
Yup, understood.
The point I am making is that the solution is still the same -
filtering in ethernet devices.
Perhaps there needs to be something written about detailed
requirements for this so that people have something to point their
switch/etc. vendors at when asking for compliance. I will write this
up in the next day or two. I guess IETF is the right forum for
publication of that.
Is there something like this already that anyone knows of?
--
Nathan Ward
More information about the NANOG
mailing list