Random Port Blocking at Hotels (was: Re: quietly....)
paul at telcodata.us
Sat Feb 5 22:15:07 CST 2011
John R. Levine wrote:
>> I have told a hotel they need to install equipment that supports RA
>> guard as I've checked out. This was a hotel that only offered IPv4.
>> Hotels ask for feedback on their services. If you see a fault report
>> it in writing.
> Sure. Bet you ten bucks that no hotel in North America offers IPv6
> this year in the wifi they provide to customers. (Conference networks
> don't count.)
I know a hospital in Metro Detroit that was offering it on their patient
and guest WiFi in 2009. Of course, neither they, nor the individual
running the rogue IPv6 router knew that, but as a person running an IPv6
enabled OS, it was really screwing up access to my dual stacked hosts
to be getting RAs on their wireless with no prefixes on them. I had to
filter out RAs in iptables in order to effectively use their WiFi, which
was a mess to begin with.
The guilty party should remain nameless for google's sake, but if you're
a netadmin in a largeish, three location hospital entirely in the
detroit suburbs, say the largest inpatient hospital in the country,
please make sure you either filter IPv6 or offer it yourself so you'll
at least know if it's broken.
As much as I hear people whining these days about how to handle rogue
RAs, they don't seem to realize that this is ALREADY an issue on their
network, even if they haven't, or won't adopt IPv6, and so this is a NOW
problem either way and needs to be addressed. It's not a barrier to IPv6
adoption, it's a security threat right this minute. Either block
protocol 0x86dd using a mac address prefix list, or traffic with a
destination of 33:33:00:00:00:01 from all untrusted ports and you can
now safely enable IPv6, OR just upgrade your gear, and while you're at
it, you can now safely enable IPv6 anyway.
More information about the NANOG