IPv6 delivery model to end customers

Soucy, Ray rays at maine.edu
Mon Feb 9 08:21:24 CST 2009


> It's scenario 2 I'm worried about, all those machanisms haven't been 
> implemented for IPv6 as far as I know and if you're only doing 2.2-2.5

> then you're open to the IPv6 security issue I described.

We've been seeing problems with this for the last year or so (since
Vista started showing up).  Since we run an academic network, we don't
have as much control over hosts as you would see in a corporate setting.

We've started poking Cisco about some key IPv6 support that we really
need to move forward.

A big one is a solution to address the security concerns with IPv6 RA
(Router Advertisement) and rogue DHCPv6. On IPv4 networks we have the
option of using DHCP snooping to suppress unauthorized DHCP servers from
handing out address information. With IPv6, any host can announce itself
as a router (using RA) and make network traffic suddenly start making
use of it as the router for a network. This makes it possible for hosts
to inadvertently disrupt network service (Vista) or even be used
maliciously to perform a man-in-the-middle attack to intercept your
traffic. Similarly with DHCPv6 there is nothing stopping a host from
trying to hand out stateful IPv6 address configuration.

Even worse is that since modern hosts give traffic priority to IPv6, it
becomes easy for a rogue host (Vista) to advertise itself as an IPv6
router on IPv4-only networks. So there are security concerns even for
networks that do not run IPv6 here.

I think it goes without saying that this needs to be addressed before
IPv6 can be deployed on most campus networks where users manage their
own PC's.

So Cisco (and other vendors) needs to introduce two things for LAN
switching. DHCPv6 snooping, and more importantly, RA suppression (or RA
snooping).

As far as IPv6 deployment to residential customers...  I say most things
these days are moving to Metro Ethernet.  Give ea. customer a VLAN, that
will save you a lot of headache and ultimately provide a better
experience for the customer.

Ray Soucy
Communications Specialist

+1 (207) 561-3526

Communications and Network Services

University of Maine System
http://www.maine.edu/




More information about the NANOG mailing list