On 12/30/2013 8:16 PM, Leo Bicknell wrote:
There's a reason why there's huge efforts to put RA guard in switches, and do cryptographic RA's. These are two admissions that the status quo does not work for many folks, but for some reason these two solutions get pushed over a simple DHCP router assignment option.
The more disturbing "feature" for those that have been there, done that, debugged the meltdown, and tried to avoid repeating the issue is the growing proliferation of "automatic" discovery/configuration... whether RA / SLAAC / mDNS / Bonjour / uPnP / (the list goes on...). There are too many opportunities for spoofing / MITM / self-propagating "issues". Yes, DHCP is prone to similar issues, but better to focus on "one" service and "one" authoritative source to try to lock down than to try to protect the plethora of growing options to introduce issues from arbitrary sources. But as the market focus appears to continue to try to address the home / SOHO environment of naive users, the "self-configuration" nastiness continues to propagate. It may fit at home / SOHO, but not in the Enterprise, and certainly not in a university environment where you can't be as "restrictive" on a universal basis as you might like to be :( Jeff