nanog mailing list archives
Re: IPv6 Confusion
From: Nathan Ward <nanog () daork net>
Date: Thu, 19 Feb 2009 09:39:10 +1300
On 19/02/2009, at 9:15 AM, Randy Bush wrote:
What operational reasons are there for working with RA turned off?networks with visitors have shown a serious problem with rouge RAs
Networks with visitors have shown a serious problem with rogue DHCP servers. Networks with visitors that use DHCPv6 for address assignment will have the exact same problem if someone comes along with a rogue DHCPv6 server.
You need to push your vendors for features to limit where RA messages and DHCPv6 messages can be sent from. Coming up with new ways to solve a problem with an already obvious solution (a solution that we have for an identical problem in IPv4) sounds like it would take longer to solve, and sounds like it would introduce even more confusion in to this space.
If your ethernet equipment has the ability to filter on ethernet source/destination then you should be able to do this a little bit now. - Only allow messages to the all routers multicast address to go to the switch interfaces that have routers on them. - Only allow messages to the all DHCPv6 servers multicast address to go to the switch interfaces that have DHCPv6 servers or relays on them.
If your ethernet equipment can do IPv6 L4 ACLs then that is even better, you can allow RA messages only from routers, and DHCPv6 responses only from DHCPv6 servers.
Again, this is the same problem we have with DHCP in IPv4. The only difference is switch vendor support for filtering these messages.
-- Nathan Ward
Current thread:
- Re: IPv6 Confusion, (continued)
- Re: IPv6 Confusion John Schnizlein (Feb 18)
- Re: IPv6 Confusion Aria Stewart (Feb 18)
- Re: IPv6 Confusion Chuck Anderson (Feb 18)
- Re: IPv6 Confusion Nathan Ward (Feb 18)
- Re: IPv6 Confusion Randy Bush (Feb 18)
- Re: IPv6 Confusion Aria Stewart (Feb 18)
- Re: IPv6 Confusion Raymond Dijkxhoorn (Feb 18)
- Re: IPv6 Confusion Leen Besselink (Feb 18)
- Re: IPv6 Confusion Jack Bates (Feb 18)
- Re: IPv6 Confusion Randy Bush (Feb 18)
- Re: IPv6 Confusion Nathan Ward (Feb 18)
- Re: IPv6 Confusion Valdis . Kletnieks (Feb 18)
- Re: IPv6 Confusion Nathan Ward (Feb 18)
- Re: IPv6 Confusion sthaug (Feb 18)
- Re: IPv6 Confusion Nathan Ward (Feb 18)
- Re: IPv6 Confusion Leo Bicknell (Feb 18)
- Re: IPv6 Confusion Nathan Ward (Feb 18)
- Re: IPv6 Confusion Mikael Abrahamsson (Feb 18)
- Re: IPv6 Confusion Leo Bicknell (Feb 18)
- Re: IPv6 Confusion Nathan Ward (Feb 18)
- Re: IPv6 Confusion Dale W. Carder (Feb 18)