I'd argue that while the timing may be different, RA and DHCP attacks are largely the same and are simply variations on a theme. And, regardless of the protocol in question, represent attacks which should be defended against. As is often (always?) the case, there are tradeoffs - and the pros and cons of those tradeoffs will be weighted differently by different parties. /TJ On Jan 3, 2014 12:00 AM, "Matthew Kaufman" <matthew@matthew.at> wrote:
On 12/30/2013 4:56 PM, Owen DeLong wrote:
You can accomplish the same thing in IPv4….
Plug in Sally’s PC with Internet Connection Sharing turned on and watch
DHCP server takes over your network.
Not nearly as fast as bad RAs do (as others have pointed out).
Yes, you have to pay attention when you plug in a router just like you’d
have to pay attention if you plugged in a DHCP server you were getting ready to recycle.
But the ability to plug in a not-router and break things is oh so much greater.
Incompetence in execution really isn’t the protocol’s fault.
But it is the protocol designer's fault... and once shipped, the
as her protocol's fault. There's all sorts of things that were known at the time IPv6 was designed that the designers failed to build solutions for. As an example, routers *could* be a lot smarter about sending RAs on a network where routers are already present, but that's not in the spec.
Neither the ND DOS attack nor the need to protect against bogus RAs on
every port of your switch but one (or rarely, two) are things that should have been a post-deployment surprise (to name just a couple pet peeves of mine... there's more design flaws that could have been easily avoided had enough people cared to do so).
Matthew Kaufman