nanog mailing list archives

RE: IPv6 delivery model to end customers

From: "TJ" <trejrco () gmail com>
Date: Mon, 9 Feb 2009 13:58:43 -0500

A big one is a solution to address the security concerns with IPv6 RA
(Router Advertisement) and rogue DHCPv6. On IPv4 networks we have the

option

of using DHCP snooping to suppress unauthorized DHCP servers from handing
out address information. With IPv6, any host can announce itself as a

router

(using RA) and make network traffic suddenly start making use of it as the
router for a network. This makes it possible for hosts to inadvertently
disrupt network service (Vista) or even be used maliciously to perform a
man-in-the-middle attack to intercept your traffic. Similarly with DHCPv6
there is nothing stopping a host from trying to hand out stateful IPv6
address configuration.

Even worse is that since modern hosts give traffic priority to IPv6, it
becomes easy for a rogue host (Vista) to advertise itself as an IPv6 router
on IPv4-only networks. So there are security concerns even for networks

that

do not run IPv6 here.

I think it goes without saying that this needs to be addressed before
IPv6 can be deployed on most campus networks where users manage their own
PC's.

So Cisco (and other vendors) needs to introduce two things for LAN
switching. DHCPv6 snooping, and more importantly, RA suppression (or RA
snooping).


Indeed, this is a problem.
RA Guard is a very straight-forward, hopefully soon-to-be-widely-supported,
defense.
        http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01

A "pure layer 3" solution is, of course, SEND/CGA ... where deployment
concerns/problems abound ...
        http://tools.ietf.org/html/rfc3971 &
http://tools.ietf.org/html/rfc3972

And as I may have said once or thrice already, YES - I agree these solutions
should have been developed / made deployable long before now.

As far as IPv6 deployment to residential customers...  I say most things
these days are moving to Metro Ethernet.  Give ea. customer a VLAN, that
will save you a lot of headache and ultimately provide a better experience
for the customer.


Amen to that ...

Current thread:

Re: IPv6 delivery model to end customers, (continued)
- Re: IPv6 delivery model to end customers Nathan Ward (Feb 07)
- Re: IPv6 delivery model to end customers Jack Bates (Feb 07)
- RE: IPv6 delivery model to end customers John Lee (Feb 07)
  - RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 07)
    - RE: IPv6 delivery model to end customers John Lee (Feb 07)
    - RE: IPv6 delivery model to end customers Pekka Savola (Feb 09)
    - RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 09)
    - RE: IPv6 delivery model to end customers Soucy, Ray (Feb 09)
    - Re: IPv6 delivery model to end customers Mark Tinka (Feb 09)
    - RE: IPv6 delivery model to end customers TJ (Feb 09)
    - RE: IPv6 delivery model to end customers TJ (Feb 09)
    - RE: IPv6 delivery model to end customers Soucy, Ray (Feb 09)
    - RE: IPv6 delivery model to end customers TJ (Feb 09)
    - RE: IPv6 delivery model to end customers Mikael Abrahamsson (Feb 09)
    - RE: IPv6 delivery model to end customers TJ (Feb 10)
    - Re: IPv6 delivery model to end customers Marshall Eubanks (Feb 10)
- RE: IPv6 delivery model to end customers TJ (Feb 08)
- FW: IPv6 delivery model to end customers Soucy, Ray (Feb 09)
  - Re: FW: IPv6 delivery model to end customers Mark Tinka (Feb 09)