IPv6 Confusion (back to technical conversation)

TJ trejrco at gmail.com
Thu Feb 19 05:34:39 CST 2009


>>> I guess you don't use DHCP in IPv4 then.
>> No, you seem to think the failure mode is the same, and it is not.
>> Let's walk through this:
>> 1) 400 people get on the NANOG wireless network.
>> 2) Mr 31337 comes along and puts up a rogue DHCP server.
>> 3) All 400 people continue working just fine until their lease expires,
>>   which is likely after the conference ends. The 10 people who came in 
>>   late get info from the rogue server, and troubleshooting ensues.

So a delayed failure makes it easier to troubleshoot?
I'd rather know right away.
Also - I'd rather not make the mistake in the first place ... but life isn't
perfect.


>> Let's try with IPv6.
>> 1) 400 people get on the NANOG wireless network.
>> 2) Mr 31337 sends a rouge RA.
>> 3) 400 people instantly loose network access.
>>   The 10 who come in late don't even bother to try and get on.
>> So, with DHCP handing out a default route we have 10/400 down, with
>> RA's we have 410/410 down.  Bravo!

Right, so a timing difference is all you are talking about - and the
malicious person would probably know his/her limitations, and therefore show
up early.  Same end result.
Also - there are questions over what type of RA was sent (or, more
correctly, what type of payload), the timing of the good RAs, etc.
BUT, the point is taken - yes, rouge RAs are a problem and there is a
solution being developed.


>> Let me clear up something from the start; this is not security.  If
>> security is what you are after none of the solutions proffered so far
>> work.  Rather this is robust network design.  A working device
>> shouldn't run off and follow a new router in miliseconds like a lost
>> puppy looking for a treat.
>>
>> This actually offers a lot of protection from stupidity though.  Ever
>> plug an IPv4 router into the wrong switch port accidently?  What
>> happened?  Probably nothing; no one on the LAN used the port IP'ed in
>> the wrong subnet.  They ignored it.
>>
>> Try that with an IPv6 router.  About 10 ms after you plug into the
>> wrong port out goes an RA, the entire subnet ceases to function, and
>> your phone lights up like a christmas tree.

Right ... but you unplug it, NUD flushes and assuming you have your
environment set right all is well in short order.


>> Let me repeat, none of these solutions are secure.  The IPv4/DHCP
>> model is ROBUST, the RA/DHCPv6 model is NOT.

I would still disagree.  More readily supporting multiple routers seems like
a measure of robustness, to me anyway.


>Yup, understood.
>The point I am making is that the solution is still the same - filtering in
>ethernet devices.

YES!


>Perhaps there needs to be something written about detailed requirements for
>this so that people have something to point their switch/etc. vendors at
when
>asking for compliance. I will write this up in the next day or two. I guess
>IETF is the right forum for publication of that.
>
>Is there something like this already that anyone knows of?

YES!
http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
Push vendors for support, please.

(For wireless, something like PSPF would work just fine AFAIK ... please
correct me if I am wrong!)





More information about the NANOG mailing list