{SPAM?} Re: IPv6 Deployment for the LAN

Perry Lorier perry at coders.net
Thu Oct 22 23:50:47 UTC 2009


David W. Hankins wrote:
> On Thu, Oct 22, 2009 at 03:57:40PM -0400, Ray Soucy wrote:
>   
>> Really.  How do we deal with rouge DHCP on the wireless LAN, obviously
>> this is such a complex issue that we couldn't possibly have a solution
>> that could be applied to RA.
>>     
>
> There are some wireless equipment that claim to have a setting that
> forces all packets through the wireless bridge (where all traffic is
> between clients and bridge, and never client to client), and so one
> can filter DHCPv6 and maybe RA, but I am kind of skeptical about how
> much of this is elective and dependent upon client implementation...
>   

When you're associated to an AP, you're in a "managed" wireless network, 
where all traffic *must* go through the AP.

I've implemented myself a system which firewalled all ARP within the AP 
and queried the DHCP server asking for the correct MAC for that lease 
then sent the ARP back (as well as firewalling DHCP servers and the 
like).  It's quite easily doable, and quite reliable.  If nodes were to 
send packets directly when associated to an AP then the 802.11 protocol 
would fall apart, I've never met an implementation that broke this 
requirement of the standard.

> In both cases there may still be some wireless adapters that receive
> bogus packets directly from attackers.
>   

You can of course pretend you're the AP and send a packet if you're 
wanting to be vicious enough.





More information about the NANOG mailing list