The stupidity of trying to "fix" DHCPv6

Owen DeLong owen at delong.com
Tue Jun 14 17:08:30 CDT 2011


On Jun 14, 2011, at 11:14 AM, Ray Soucy wrote:

>> On Jun 14, 2011, at 1:41 PM, Owen DeLong wrote:
>> What is needed is:
>> 
>>       -       Native RA Guard in switches
>>       -       Native DHCPv6 Snooping in switches
>>       -       Native RA Guard in WAPs
>>       -       Native DHCPv6 Snooping in WAPs
>>       -       Additional options to DHCPv6 for Routing Information
>>       -       Eventual changes to host DHCPv6 Client behavior so that
>>               DHCP does occur when RA not present.
> 
> Agree 100%
> 
> Especially with the last one; DHCPv6 clients shouldn't even be started
> unless they see the M flag set; but that's an implementation
> challenge.

That's the current broken behavior. The goal is to correct that problem.

> 
> Would probably include something analogous to ARP inspection for
> neighbor discovery; and that router implementations are modified so
> that once full, the neighbor table won't throw out known associations
> in favor of unknown associations to mitigate the denial of service
> attack vector present when using 64-bit prefixes.  Perhaps DAD
> flooding protection too.  It's a "new" protocol, so it will take a
> while for all these things to be worked out and become standard.
> 

That would also likely be good, but, I don't think that requires IETF effort.

> On Tue, Jun 14, 2011 at 2:00 PM, Ben Jencks <ben at bjencks.net> wrote:
> 
>> This has always confused me. What aspect of host configuration is the router providing that's so
>> problematic? The prefix, which has to match on the router and host in order for anything to work
>> anyway? The indication to go use DHCPv6, which doesn't really add anything since you need to
>> configure a DHCPv6 proxy anyway? There's just so little information in an RA, and the router needs to
>> know it all anyway, that I'm having trouble understanding what environment would find this so
>> horrifying.
> 
> And This.
> 
> Really, people make way too big a deal about RA, and I think most of
> it comes from the lack of vendor support for filtering of rouge RA and
> the fact that Windows ICS happily sends them out.
> 

No, that is not the only place it comes from. There are real world networks
that don't have a good solution with RA because RA assumes that link==subnet
and that simply isn't true in all cases.

> I still blame vendors; this design has been known for a long time now
> and they still haven't come up to speed, in part because people spend
> their time complaining on NANOG instead of to their sales rep.
> 

Believe me, I've done both.

Owen

> -- 
> Ray Soucy
> 
> Epic Communications Specialist
> 
> Phone: +1 (207) 561-3526
> 
> Networkmaine, a Unit of the University of Maine System
> http://www.networkmaine.net/





More information about the NANOG mailing list