Automatic IPv6 due to broadcast

Carlos Martinez-Cagnazzo carlosm3011 at gmail.com
Tue Apr 17 03:33:55 CDT 2012


IMO it's much easier to disable one rogue than to disable IPv6 on the
whole network. That is if you can find it, but with some proper
tcpdumping and/or CLI commands (depending on the switches that you have)
it should be relatively easy.

Not to mention that, as pointed by others, this provides a wonderful
opportunity to look into this new (*grin*) protocol.

Cheers!

~Carlos

On 4/16/12 9:32 PM, Arturo Servin wrote:
> Anurag,
>
> 	You have a rogue RA in your network. Now is just an annoying DoS, but it can easily be turned in a real security concern.
>
> 	I suggest to either deploy properly IPv6 or disable it. I am more on the former, but it is your choice.
>
> Regards
> -as
>
> On 16 Apr 2012, at 15:09, Anurag Bhatia wrote:
>
>> Hello everyone
>>
>>
>>
>> Just got a awfully crazy issue. I heard from our support team about failure
>> of whois during domain registration. Initially I thought of port 43 TCP
>> block or something but found it was all ok. Later when ran whois manually
>> on server via terminal it failed. Found problem that server was connecting
>> to whois server - whois.verisign-grs.com. I was stunned! Server got IPv6
>> and not just that one - almost all. This was scary - partial IPv6 setup and
>> it was breaking things.
>>
>> In routing tables, routes were all going to a router which I recently setup
>> for testing. That router and other servers are under same switch but by no
>> means I ever configured that router as default gateway for IPv6. I found
>> option of "broadcast" was enabled on router for local fe80... address and I
>> guess router broadcasted IPv6 and somehow (??) all servers found that they
>> have a IPv6 router on LAN and started using it - automated DHCP IPv6?
>>
>> I wonder if anyone else also had similar issues? Also, if my guesses are
>> correct then how can we disable Red Hat distro oriented servers from taking
>> such automated configuration - simple DHCP in IPv6 disable?
>>
>>
>>
>>
>> Thanks
>>
>> -- 
>>
>> Anurag Bhatia
>> anuragbhatia.com
>> or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected
>> network!
>>
>> Twitter: @anurag_bhatia <https://twitter.com/#!/anurag_bhatia>
>> Linkedin: http://linkedin.anuragbhatia.com
>



More information about the NANOG mailing list