{SPAM?} Re: IPv6 Deployment for the LAN
Joel Jaeggli
joelja at bogus.com
Sat Oct 24 03:48:35 UTC 2009
On wireless networks you can note the mac address of the rouge server
and dissociate it from the wireless network, this is rather similar to
what we did on switches prior to dhcp protection, it is reactive but it
certainly can be automatic.
Some controller based wireless systems have ips or nac functionality
that does this already.
joelja
David W. Hankins wrote:
> On Thu, Oct 22, 2009 at 03:57:40PM -0400, Ray Soucy wrote:
>> Really. How do we deal with rouge DHCP on the wireless LAN, obviously
>> this is such a complex issue that we couldn't possibly have a solution
>> that could be applied to RA.
>
> There are some wireless equipment that claim to have a setting that
> forces all packets through the wireless bridge (where all traffic is
> between clients and bridge, and never client to client), and so one
> can filter DHCPv6 and maybe RA, but I am kind of skeptical about how
> much of this is elective and dependent upon client implementation...
>
> In both cases there may still be some wireless adapters that receive
> bogus packets directly from attackers.
>
> And then you bring ND into the question and wonder why you bothered
> with either RA or DHCP filtering.
>
>
> DHCPv6 (and DHCPv4 with RFC 3118) has per-message cryptographic
> authentication.
>
> The problem however has been the key distribution model. Here it all
> falls down, and leads to poor deployment.
>
> But with DHCPv*, we have a hope that we can secure it if we can solve
> that last problem (and at least I think we can).
>
> So if you accept that as an outcome, one must ponder the question:
>
> How long will people accept that a secured DHCPv6 session must rely,
> in order to function to expectations, upon the unsecurable RA and/or
> questionably secure SEND?
>
More information about the NANOG
mailing list