turning on comcast v6

Ricky Beam jfbeam at gmail.com
Mon Jan 6 20:57:00 UTC 2014

On Sat, 04 Jan 2014 14:03:21 -0500, Owen DeLong <owen at delong.com> wrote:
> A router, yes. THE router, not unless the network is very stupidly put  
> together.

Like every win7 and win8 machine on the planet?  (IPv6 is installed and  
enabled by default. Few places have IPv6 enabled on their LAN, so a single  
RA would, indeed, 0wn3z those machines instantly.)

> I disagree. Unlike with DHCP guard, RA guard can make reasonable  
> predictions in most cases. Switches with “uplink” ports designated, for  
> example, could easily default to permitting RAs only from those ports.

One cannot **GUESS** the security for a network. You must either *know* or  
*not know* what's on a port.  What makes a port "uplink" (read:  
"trusted")? The only way to know for sure, without creating surprises or  
exploitable holes, is make the ADMIN explicitly SET EACH PORT.  That's the  
way DHCP Guard works.  That's the way spanning-tree portfast, bpdu guard,  
root guard, etc., etc. works.  That's the way port security works.  And  
that's the way RA Guard WILL be done.

More information about the NANOG mailing list