Random Port Blocking at Hotels (was: Re: quietly....)

Paul Timmins paul at telcodata.us
Sat Feb 5 22:15:07 CST 2011


John R. Levine wrote:
>> I have told a hotel they need to install equipment that supports RA
>> guard as I've checked out.  This was a hotel that only offered IPv4.
>>
>> Hotels ask for feedback on their services.  If you see a fault report
>> it in writing.
>
> Sure.  Bet you ten bucks that no hotel in North America offers IPv6 
> this year in the wifi they provide to customers.  (Conference networks 
> don't count.)
I know a hospital in Metro Detroit that was offering it on their patient 
and guest WiFi in 2009. Of course, neither they, nor the individual 
running the rogue IPv6 router knew that, but as a person running an IPv6 
enabled OS, it was really  screwing up access to my dual stacked hosts 
to be getting RAs on their wireless with no prefixes on them. I had to 
filter out RAs in iptables in order to effectively use their WiFi, which 
was a mess to begin with.

The guilty party should remain nameless for google's sake, but if you're 
a netadmin in a largeish, three location hospital entirely in the 
detroit suburbs, say the largest inpatient hospital in the country, 
please make sure you either filter IPv6 or offer it yourself so you'll 
at least know if it's broken.

As much as I hear people whining these days about how to handle rogue 
RAs, they don't seem to realize that this is ALREADY an issue on their 
network, even if they haven't, or won't adopt IPv6, and so this is a NOW 
problem either way and needs to be addressed. It's not a barrier to IPv6 
adoption, it's a security threat right this minute. Either block 
protocol 0x86dd using a mac address prefix list, or traffic with a 
destination of 33:33:00:00:00:01 from all untrusted ports and you can 
now safely enable IPv6, OR just upgrade your gear, and while you're at 
it, you can now safely enable IPv6 anyway.

-Paul




More information about the NANOG mailing list