turning on comcast v6

Paul Ferguson fergdawgster at mykolab.com
Sat Jan 4 02:27:05 UTC 2014


What DHCP attacks?

Humor me... What DHCP "attacks"?

- ferg


On 1/3/2014 5:52 PM, Owen DeLong wrote:

>
> On Jan 3, 2014, at 12:40 AM, Doug Barton <dougb at dougbarton.us> wrote:
>
>> On 01/02/2014 10:30 PM, TJ wrote:
>>> I'd argue that while the timing may be different, RA and DHCP attacks
>>> are largely the same and are simply variations on a theme.
>>
>> Utter nonsense. The ability to nearly-instantly switch traffic for nearly-all nodes on the network is a very different thing than what a rogue DHCP server could do, even if you have ridiculously short lease times, which most don’t
>
> Not entirely true, actually… If you’re willing to work hard enough at it, most hosts can be “encouraged” to renew early.
>
>> Further, by far the common case is for network gear to _already_ be configured to avoid permitting hosts to act as DHCP servers unless they are supposed to be. It's rare to even find a network device that has RA Guard capabilities, never mind one that has them turned on.
>
> Well… Sure, 15 years after DHCP attacks first started being a serious problem… I doubt it will take anywhere near 15 years for RA guard on by default to be the norm in switches, etc.
>
>> There is simply no good reason not to include default route in the configuration for DHCPv6, and it's long overdue.
>
> As I’ve said before, if we’re going to bother doing it, we should just include RIO options, but otherwise, I agree with you.
>
> Owen
>
>
>
>


-- 
Paul Ferguson
PGP Public Key ID: 0x63546533





More information about the NANOG mailing list