nanog mailing list archives

Re: IPv6 Confusion

From: Nathan Ward <nanog () daork net>
Date: Thu, 19 Feb 2009 10:00:48 +1300

On 19/02/2009, at 9:53 AM, Leo Bicknell wrote:

In a message written on Thu, Feb 19, 2009 at 09:44:38AM +1300,Nathan Ward wrote:

I guess you don't use DHCP in IPv4 then.


No, you seem to think the failure mode is the same, and it is not.

Let's walk through this:

1) 400 people get on the NANOG wireless network.

2) Mr 31337 comes along and puts up a rogue DHCP server.

3) All 400 people continue working just fine until their leaseexpires,

  which is likely after the conference ends.

  The 10 people who came in late get info from the rogue server, and
  troubleshooting ensues.

Let's try with IPv6.

1) 400 people get on the NANOG wireless network.

2) Mr 31337 sends a rouge RA.

3) 400 people instantly loose network access.

  The 10 who come in late don't even bother to try and get on.

So, with DHCP handing out a default route we have 10/400 down, withRA's

we have 410/410 down.  Bravo!

Let me clear up something from the start; this is not security.  If
security is what you are after none of the solutions proffered so
far work.  Rather this is robust network design.  A working device
shouldn't run off and follow a new router in miliseconds like a
lost puppy looking for a treat.

This actually offers a lot of protection from stupidity though.  Ever
plug an IPv4 router into the wrong switch port accidently?  What
happened?  Probably nothing; no one on the LAN used the port IP'ed in
the wrong subnet.  They ignored it.

Try that with an IPv6 router. About 10 ms after you plug into thewrong

port out goes an RA, the entire subnet ceases to function, and your
phone lights up like a christmas tree.

Let me repeat, none of these solutions are secure. The IPv4/DHCPmodel

is ROBUST, the RA/DHCPv6 model is NOT.



Yup, understood.

The point I am making is that the solution is still the same -filtering in ethernet devices.

Perhaps there needs to be something written about detailedrequirements for this so that people have something to point theirswitch/etc. vendors at when asking for compliance. I will write thisup in the next day or two. I guess IETF is the right forum forpublication of that.


Is there something like this already that anyone knows of?

--
Nathan Ward

Current thread:

Re: IPv6 Confusion, (continued)
- - - Re: IPv6 Confusion Randy Bush (Feb 18)
    - Re: IPv6 Confusion Nathan Ward (Feb 18)
    - Re: IPv6 Confusion Valdis . Kletnieks (Feb 18)
    - Re: IPv6 Confusion Nathan Ward (Feb 18)
    - Re: IPv6 Confusion sthaug (Feb 18)
    - Re: IPv6 Confusion Nathan Ward (Feb 18)
    - Re: IPv6 Confusion Leo Bicknell (Feb 18)
    - Re: IPv6 Confusion Nathan Ward (Feb 18)
    - Re: IPv6 Confusion Mikael Abrahamsson (Feb 18)
    - Re: IPv6 Confusion Leo Bicknell (Feb 18)
    - Re: IPv6 Confusion Nathan Ward (Feb 18)
    - Re: IPv6 Confusion Dale W. Carder (Feb 18)
    - Re: IPv6 Confusion Joel Jaeggli (Feb 18)
    - Message not available
    - Re: IPv6 Confusion Tim Chown (Feb 19)
    - Re: IPv6 Confusion Leo Bicknell (Feb 18)
    - Re: IPv6 Confusion Nathan Ward (Feb 18)
    - RE: IPv6 Confusion (back to technical conversation) TJ (Feb 19)
    - Re: IPv6 Confusion Aria Stewart (Feb 18)
    - Re: IPv6 Confusion Kevin Loch (Feb 18)
    - Re: IPv6 Confusion Leo Bicknell (Feb 18)
    - RE: IPv6 Confusion Tony Hain (Feb 18)

(Thread continues...)