turning on comcast v6

• Previous message (by thread): turning on comcast v6
• Next message (by thread): turning on comcast v6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/30/2013 8:16 PM, Leo Bicknell wrote:
> There's a reason why there's huge efforts to put RA guard in switches, and do cryptographic RA's.
These are two admissions that the status quo does not work for many
folks, but for some reason these two solutions get pushed over a simple
DHCP router assignment option.

The more disturbing "feature" for those that have been there, done that,
debugged the meltdown, and tried to avoid repeating the issue is the
growing proliferation of "automatic" discovery/configuration... whether
RA / SLAAC / mDNS / Bonjour / uPnP / (the list goes on...).  There are
too many opportunities for spoofing / MITM / self-propagating "issues".

Yes, DHCP is prone to similar issues, but better to focus on "one"
service and "one" authoritative source to try to lock down than to try
to protect the plethora of growing options to introduce issues from
arbitrary sources.

But as the market focus appears to continue to try to address the home /
SOHO environment of naive users, the "self-configuration" nastiness
continues to propagate.  It may fit at home / SOHO, but not in the
Enterprise, and certainly not in a university environment where you
can't be as "restrictive" on a universal basis as you might like to be :(

Jeff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20131230/52c0278a/attachment.sig>

• Previous message (by thread): turning on comcast v6
• Next message (by thread): turning on comcast v6
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]