The stupidity of trying to "fix" DHCPv6

Leo Bicknell bicknell at ufp.org
Fri Jun 10 15:27:58 CDT 2011


In a message written on Fri, Jun 10, 2011 at 09:57:07PM +0200, Iljitsch van Beijnum wrote:
> If only. Having third parties point to routers is less robust than having routers announce their own presence. In the telco world, there's a separation between the control and data channels, which has important security advantages. But the IETF has always favored fate sharing. It makes routing protocols more robust and it makes RA more robust than IPv4 DHCP.

Apparently we don't have a long enough view of history, as history
will tell you that this is wrong.

You see, we tried the RA experiement once before.  Let's go back
to the Internet circa 1988, or so.

There was a time when it was very common for routers to run RIP.
There was a time when Sun systems (in particular, other vendors did
the same) shipped with routed enabled by default.  Many of these
systems learned their default gateway by listening to these RIP
announcements.

The funny thing is, no one does this anymore.  We turned off RIP,
turned off routed, and invented things like HSRP to handle router
redundancy.  These things weren't done because someone was bored,
no, they were done because these RIP deployments failed, repeatedly
and often.  Any device could broadcast bad information, and they
did.  It could be a legitimate network admin plugging a cable into
the wrong jack, or it could be a hacker who rooted a machine and
is injecting bad information on purpose.

I submit to you those who designed RA's do not remember those days,
and did not study history.  The only difference is that RA's only
carry a default route, where as RIP could carry several routes.
The security model is identical.  The failure modes are largely
overlapping.

IPv4 also had a similar feature, ICMP router discovery, RFC 1256.
Works a little different than RA's do, but not a lot.  Have you ever
seen it used?  I haven't.

Least you think the IETF is proud of their RA work, one needs look
no further than RFC 6104, where they carefully document the problem
of rogue RA's and provide a list of solutions.  Indeed, my proposed
DHCP solution is documented in section 3.10.  The IETF seems to
think SEND is the solution, but it also requires deploying new
software to 100% of all devices in order to be the solution.

> People who don't like this should blame their younger selves who failed to show up at the IETF ten years ago to get this done while DHCPv6 was still clean slate.

I participated until a working group chair told some protocol wonks
"Don't listen to him, he's an operator and doesn't understand IPv6
yet."  The IETF has a long history of being openly hostle to operators.

That was the day I gave up on the IETF.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20110610/383e1647/attachment.bin>


More information about the NANOG mailing list