turning on comcast v6

Fri Jan 3 06:30:03 UTC 2014

I'd argue that while the timing may be different, RA and DHCP attacks are
largely the same and are simply variations on a theme.

And, regardless of the protocol in question, represent attacks which should
be defended against.

As is often (always?) the case, there are tradeoffs - and the pros and cons
of those tradeoffs will be weighted differently by different parties.

/TJ

On Jan 3, 2014 12:00 AM, "Matthew Kaufman" <matthew at matthew.at> wrote:
>
> On 12/30/2013 4:56 PM, Owen DeLong wrote:
>>
>> You can accomplish the same thing in IPv4….
>>
>>
>> Plug in Sally’s PC with Internet Connection Sharing turned on and watch
as her
>> DHCP server takes over your network.
>
>
> Not nearly as fast as bad RAs do (as others have pointed out).
>
>
>>
>> Yes, you have to pay attention when you plug in a router just like you’d
have to pay attention if you plugged in a DHCP server you were getting
ready to recycle.
>
>
> But the ability to plug in a not-router and break things is oh so much
greater.
>
>>
>> Incompetence in execution really isn’t the protocol’s fault.
>
>
> But it is the protocol designer's fault... and once shipped, the
protocol's fault. There's all sorts of things that were known at the time
IPv6 was designed that the designers failed to build solutions for. As an
example, routers *could* be a lot smarter about sending RAs on a network
where routers are already present, but that's not in the spec.
>
> Neither the ND DOS attack nor the need to protect against bogus RAs on
every port of your switch but one (or rarely, two) are things that should
have been a post-deployment surprise (to name just a couple pet peeves of
mine... there's more design flaws that could have been easily avoided had
enough people cared to do so).
>
> Matthew Kaufman
>
>
>