IPv6 delivery model to end customers
TJ
trejrco at gmail.com
Mon Feb 9 18:58:43 UTC 2009
>A big one is a solution to address the security concerns with IPv6 RA
>(Router Advertisement) and rogue DHCPv6. On IPv4 networks we have the
option
>of using DHCP snooping to suppress unauthorized DHCP servers from handing
>out address information. With IPv6, any host can announce itself as a
router
>(using RA) and make network traffic suddenly start making use of it as the
>router for a network. This makes it possible for hosts to inadvertently
>disrupt network service (Vista) or even be used maliciously to perform a
>man-in-the-middle attack to intercept your traffic. Similarly with DHCPv6
>there is nothing stopping a host from trying to hand out stateful IPv6
>address configuration.
>
>Even worse is that since modern hosts give traffic priority to IPv6, it
>becomes easy for a rogue host (Vista) to advertise itself as an IPv6 router
>on IPv4-only networks. So there are security concerns even for networks
that
>do not run IPv6 here.
>
>I think it goes without saying that this needs to be addressed before
>IPv6 can be deployed on most campus networks where users manage their own
>PC's.
>
>So Cisco (and other vendors) needs to introduce two things for LAN
>switching. DHCPv6 snooping, and more importantly, RA suppression (or RA
>snooping).
Indeed, this is a problem.
RA Guard is a very straight-forward, hopefully soon-to-be-widely-supported,
defense.
http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
A "pure layer 3" solution is, of course, SEND/CGA ... where deployment
concerns/problems abound ...
http://tools.ietf.org/html/rfc3971 &
http://tools.ietf.org/html/rfc3972
And as I may have said once or thrice already, YES - I agree these solutions
should have been developed / made deployable long before now.
>As far as IPv6 deployment to residential customers... I say most things
>these days are moving to Metro Ethernet. Give ea. customer a VLAN, that
>will save you a lot of headache and ultimately provide a better experience
>for the customer.
Amen to that ...
More information about the NANOG
mailing list