Automatic IPv6 due to broadcast

Owen DeLong owen at delong.com
Mon Apr 23 02:24:53 CDT 2012


On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:

> On 4/22/12, Grant Ridder <shortdudey123 at gmail.com> wrote:
> 
>> Most switches nowadays have dhcpv4 detection that can be enabled for port
> 
> Yes. Many L2 switches have DHCPv4 "Snooping",  where some port(s) can
> be so designated as trusted DHCP server ports, for certain Virtual
> LANs; and dhcp messages can be detected and suppressed from
> unauthorized edge ports.   


Sounds suspiciously like IPv6 RA Guard, no?


>   Particularly good L2 switches also have
> DAI  or  "IP Source guard"  IPv4 functions,   which when properly
> enabled,  can foil certain L2 ARP  and IPv4 source  address spoofing
> attacks,  respectively.
> 

> e.g. Source IP address of packet does not match one of the DHCP leases
> issued to that port -- then drop the packet.
> 

Meh... I can see many cases where that might be more of a bug than feature.

Especially in environments where loops may be possible and the DHCP lease might
have come over a different path than the port in question during some network event.

> 
> As for IPv6; rfc6105;  you have
> ipv6 nd raguard
> 
> and IOS NDP inspection.
> 
> However, there are caveats that should be noted.    RA guard
> implementations can be trivially fooled by the use of crafted packets.
> 

Frankly, I suggest dropping any RA that doesn't fit in a single packet as a simple solution to the crafted-packet issue. (The crafted packet attacks by and large depend on crafting it so that there are enough extension headers to put the RA header in the second or later fragment).

> These are potentially good protections against accidental
> configuration errors, but not malicious attack from a general purpose
> computer.

If you have a malicious attack from a general purpose computer on your own LAN, you've already lost on multiple levels to some extent or other.

The most effective solution at that point is to identify, locate, and excise said attacker.

> 
> 
> Currently,  IPv4  seems to win at L2 easily in regards to the level of
> hardware security features commonly available on L2 switches  that
> pertain to IP.
> 

There was a time when one probably could have argued that Novell beat IP on that basis alone.

IPv4 loses when you consider that there are more than 3.2 billion people in the world. That people likely will need a minimum of 5 IP addresses each. That we also need to number infrastructure, routers, servers, sensor grids, etc.

IPv4 also loses when you consider the pervasiveness of debilitated IPv4 internetworking in favor of address conservation over the last 20 years.

Owen

> 
> 
>> -Grant
> --
> -JH




More information about the NANOG mailing list