quietly....
Mark Smith
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Wed Feb 2 21:23:45 UTC 2011
On Wed, 2 Feb 2011 07:04:13 -0800
Owen DeLong <owen at delong.com> wrote:
>
> On Feb 2, 2011, at 6:43 AM, Jack Bates wrote:
>
> >
> >
> > On 2/2/2011 8:22 AM, Tony Finch wrote:
> >> Counterexample: rogue RAs from Windows boxes running 6to4 or Teredo and
> >> Internet Connection Sharing. This is a lot harder to fix than a
> >> misconfigured DHCP server.
> >
> > CounterCounterexample: rogue DHCPv6 servers from windows boxes or improperly connected CPEs.
> >
> > Both DHCP(4 or 6) and RA require careful filtering to keep rogues from jacking things up. Though M$ has a nice deployment for authorizing DHCP4 servers in corporate environments.
> >
> It's a lot easier to find and eliminate a rogue DHCP server than a rogue RA.
>
How is that the case? The next hop for the default gateway that the
rogue RA installs is the link local address, you look up the neighbor
cache if the link local address doesn't have a MAC address in it, and
then use layer 2 information to identify where it is attached. That's
also the usual technique for finding and disabling a rogue DHCP server,
so how is it any harder?
Mark
More information about the NANOG
mailing list