nanog at daork.net
Wed Feb 18 20:39:10 UTC 2009
On 19/02/2009, at 9:15 AM, Randy Bush wrote:
>> What operational reasons are there for working with RA turned off?
> networks with visitors have shown a serious problem with rouge RAs
Networks with visitors have shown a serious problem with rogue DHCP
Networks with visitors that use DHCPv6 for address assignment will
have the exact same problem if someone comes along with a rogue DHCPv6
You need to push your vendors for features to limit where RA messages
and DHCPv6 messages can be sent from. Coming up with new ways to solve
a problem with an already obvious solution (a solution that we have
for an identical problem in IPv4) sounds like it would take longer to
solve, and sounds like it would introduce even more confusion in to
If your ethernet equipment has the ability to filter on ethernet
source/destination then you should be able to do this a little bit now.
- Only allow messages to the all routers multicast address to go to
the switch interfaces that have routers on them.
- Only allow messages to the all DHCPv6 servers multicast address to
go to the switch interfaces that have DHCPv6 servers or relays on them.
If your ethernet equipment can do IPv6 L4 ACLs then that is even
better, you can allow RA messages only from routers, and DHCPv6
responses only from DHCPv6 servers.
Again, this is the same problem we have with DHCP in IPv4. The only
difference is switch vendor support for filtering these messages.
More information about the NANOG