{SPAM?} Re: IPv6 Deployment for the LAN
Ray Soucy
rps at maine.edu
Thu Oct 22 20:32:17 UTC 2009
Correct.
Not sure if you got the sarcasm in that last reply...
As far as I'm concerned, a rogue is a rogue. Knowing about it the
instant it happens might even be better than slowly coming to the
realization that you're dealing with one. The point is that we need
to address rogues regardless of their type, not move from RA to DHCPv6
because the impact of a rogue is slower to disrupt service.
On Thu, Oct 22, 2009 at 4:06 PM, Chuck Anderson <cra at wpi.edu> wrote:
> On Thu, Oct 22, 2009 at 03:57:40PM -0400, Ray Soucy wrote:
>> Really. How do we deal with rouge DHCP on the wireless LAN, obviously
>> this is such a complex issue that we couldn't possibly have a solution
>> that could be applied to RA.
>
> Rogue DHCP doesn't immedately take down the entire subnet of machines
> with existing DHCP leases. It generally only affects new machines
> trying to get a lease, or RENEWing machines. The impact of a rogue RA
> is to immediately break connectivity for every machine on the subnet.
> Differing impacts leads to different risk assessments of which
> protocol to use.
>
> Regardless, modern wireless deployments use central controllers or
> smart APs that can filter DHCP. They could be extended to filter RA
> as well.
>
> And this whole point is rather moot because we have RAs and must deal
> with them. It is too late to get rid of the RA behavior of clients.
> Even if you don't want to use RAs, your hosts are going to still
> listen to them which means a Rogue RA is going to take down your
> network. We have this problem even on IPv4-only subnets, where a
> Rogue RA (usually a Windows box with routing turned on) breaks
> connectivity to dual-stack servers for machines on that subnet. Since
> the hosts prefer native IPv6 connectivity over IPv4, the hosts end up
> preferring the Rogue RA as the route towards the dual-stack server.
>
> We really just need to bug our vendors to implement Rogue RA
> protection for wired and wireless ASAP, wherever we are in our
> deployment of IPv6.
>
>
--
Ray Soucy
Communications Specialist
+1 (207) 561-3526
Communications and Network Services
University of Maine System
http://www.maine.edu/
More information about the NANOG
mailing list