Misconceptions, was: IPv6 RA vs DHCPv6 - The chosen one?
Iljitsch van Beijnum
iljitsch at muada.com
Fri Dec 30 03:31:48 CST 2011
On 29 Dec 2011, at 0:16 , Doug Barton wrote:
> On 12/28/2011 03:13, Iljitsch van Beijnum wrote:
>> However, this has two issues. First, with RAs there are no risks that
>> incorrect default information is propagated because the default
>> gateway itself broadcasts its presence.
> Unless you have a malicious user on the network in which case all
> traffic immediately switches to the malicious user's gateway.
This is a different issue. And although this is / has been common for RAs/stateless autoconfig beceause some idiot at Microsoft made this happen more or less automatically in some configurations, there really is no difference between DHCPv6 and stateless autoconfig here.
What I'm talking about is the issue where a legitimate DHCP server gives out an incorrect default gateway addresses because of a configuration mistake. Because a DHCP server that isn't also that same router has no way of knowing that address this can't be automatically done right so mistakes happen. Especially at this point with IPv6 where most people don't notice it when it doesn't work most of the time.
> I'm aware that SEND is trying to solve this problem, but it's not
> yet deployed.
SEND is similar to IPsec in this regard, it's not going to be deployed widely because it's too complex to do so.
> I think that people already know of and have solutions for the security
> issues that exist for DHCP today.
Yes, for IPv4. But this is a filtering issue. If you can filter rogue DHCPv6 servers you can also filter rogue RAs.
> 10-12 years ago I attempted to make 2 points to the IPv6 literati. First
> that IPv6 would not be widely adopted in the enterprise until it had
> full DHCP parity with v4. Second that the easiest way to do that would
> be to declare all existing DHCPv4 options that are relevant to IPv6 as
> existing in DHCPv6 by fiat, and to prevent new v6-only options from
> using option numbers that already exist for v4 (and vice versa). I was
> laughed out of the room on both counts.
I agree with you that DHCPv6 doesn't deserve any prizes, not for design, implementation nor time to market. But I disagree that importing all IPv4 cruft into IPv6 for the sake of speeding up deployment that wasn't going to happen anyway would have been a good idea then, let alone now.
> The good news is that it's not too late to fix DHCPv6. We're at a
> watershed moment where it's just possible that we'll get the ability to
> assign a default gateway added to it due to, for lack of a better term,
> market forces. This would be a major paradigm shift. As you point out
> the development lead time on stuff like that is rather painful, however
> if we took advantage of the camel's nose under the tent and included
> "everything relevant that DHCPv4 can do" in that update, we'd be in a
> pretty good condition in a year or so.
You are living in a fantasy world if you think that.
More information about the NANOG