19 Feb
2009
19 Feb
'09
6:34 a.m.
>>> I guess you don't use DHCP in IPv4 then. >> No, you seem to think the failure mode is the same, and it is not. >> Let's walk through this: >> 1) 400 people get on the NANOG wireless network. >> 2) Mr 31337 comes along and puts up a rogue DHCP server. >> 3) All 400 people continue working just fine until their lease expires, >> which is likely after the conference ends. The 10 people who came in >> late get info from the rogue server, and troubleshooting ensues. So a delayed failure makes it easier to troubleshoot? I'd rather know right away. Also - I'd rather not make the mistake in the first place ... but life isn't perfect. >> Let's try with IPv6. >> 1) 400 people get on the NANOG wireless network. >> 2) Mr 31337 sends a rouge RA. >> 3) 400 people instantly loose network access. >> The 10 who come in late don't even bother to try and get on. >> So, with DHCP handing out a default route we have 10/400 down, with >> RA's we have 410/410 down. Bravo! Right, so a timing difference is all you are talking about - and the malicious person would probably know his/her limitations, and therefore show up early. Same end result. Also - there are questions over what type of RA was sent (or, more correctly, what type of payload), the timing of the good RAs, etc. BUT, the point is taken - yes, rouge RAs are a problem and there is a solution being developed. >> Let me clear up something from the start; this is not security. If >> security is what you are after none of the solutions proffered so far >> work. Rather this is robust network design. A working device >> shouldn't run off and follow a new router in miliseconds like a lost >> puppy looking for a treat. >> >> This actually offers a lot of protection from stupidity though. Ever >> plug an IPv4 router into the wrong switch port accidently? What >> happened? Probably nothing; no one on the LAN used the port IP'ed in >> the wrong subnet. They ignored it. >> >> Try that with an IPv6 router. About 10 ms after you plug into the >> wrong port out goes an RA, the entire subnet ceases to function, and >> your phone lights up like a christmas tree. Right ... but you unplug it, NUD flushes and assuming you have your environment set right all is well in short order. >> Let me repeat, none of these solutions are secure. The IPv4/DHCP >> model is ROBUST, the RA/DHCPv6 model is NOT. I would still disagree. More readily supporting multiple routers seems like a measure of robustness, to me anyway. >Yup, understood. >The point I am making is that the solution is still the same - filtering in >ethernet devices. YES! >Perhaps there needs to be something written about detailed requirements for >this so that people have something to point their switch/etc. vendors at when >asking for compliance. I will write this up in the next day or two. I guess >IETF is the right forum for publication of that. > >Is there something like this already that anyone knows of? YES! http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01 Push vendors for support, please. (For wireless, something like PSPF would work just fine AFAIK ... please correct me if I am wrong!)