IPv6 Confusion

Leo Bicknell bicknell at ufp.org
Wed Feb 18 20:53:54 UTC 2009

In a message written on Thu, Feb 19, 2009 at 09:44:38AM +1300, Nathan Ward wrote:
> I guess you don't use DHCP in IPv4 then.

No, you seem to think the failure mode is the same, and it is not.

Let's walk through this:

1) 400 people get on the NANOG wireless network.

2) Mr 31337 comes along and puts up a rogue DHCP server.

3) All 400 people continue working just fine until their lease expires,
   which is likely after the conference ends.

   The 10 people who came in late get info from the rogue server, and 
   troubleshooting ensues.

Let's try with IPv6.

1) 400 people get on the NANOG wireless network.

2) Mr 31337 sends a rouge RA.

3) 400 people instantly loose network access.

   The 10 who come in late don't even bother to try and get on.

So, with DHCP handing out a default route we have 10/400 down, with RA's
we have 410/410 down.  Bravo!

Let me clear up something from the start; this is not security.  If
security is what you are after none of the solutions proffered so
far work.  Rather this is robust network design.  A working device
shouldn't run off and follow a new router in miliseconds like a
lost puppy looking for a treat.

This actually offers a lot of protection from stupidity though.  Ever
plug an IPv4 router into the wrong switch port accidently?  What
happened?  Probably nothing; no one on the LAN used the port IP'ed in
the wrong subnet.  They ignored it.

Try that with an IPv6 router.  About 10 ms after you plug into the wrong
port out goes an RA, the entire subnet ceases to function, and your
phone lights up like a christmas tree.

Let me repeat, none of these solutions are secure.  The IPv4/DHCP model
is ROBUST, the RA/DHCPv6 model is NOT.
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090218/265d2069/attachment.sig>

More information about the NANOG mailing list