On Jan 6, 2014, at 12:57 , Ricky Beam <jfbeam@gmail.com> wrote:
On Sat, 04 Jan 2014 14:03:21 -0500, Owen DeLong <owen@delong.com> wrote:
A router, yes. THE router, not unless the network is very stupidly put together.
Like every win7 and win8 machine on the planet? (IPv6 is installed and enabled by default. Few places have IPv6 enabled on their LAN, so a single RA would, indeed, 0wn3z those machines instantly.)
The obvious solution to that is to install real IPv6 routers.
I disagree. Unlike with DHCP guard, RA guard can make reasonable predictions in most cases. Switches with “uplink” ports designated, for example, could easily default to permitting RAs only from those ports.
One cannot **GUESS** the security for a network. You must either *know* or *not know* what's on a port. What makes a port "uplink" (read: "trusted")? The only way to know for sure, without creating surprises or exploitable holes, is make the ADMIN explicitly SET EACH PORT. That's the way DHCP Guard works. That's the way spanning-tree portfast, bpdu guard, root guard, etc., etc. works. That's the way port security works. And that's the way RA Guard WILL be done.
The port isn't particularly trusted, but it is allowed to send RAs which are forwarded to the network by default. Obviously a sane switch would allow this configuration to be changed. We're not talking about the security model for a network, we're talking about the default behavior of a switch. Defaults are, inherently guesses to some extent. Nonetheless, a switch must have some default behavior. It seems to me that in the case of switches which have otherwise designated uplink ports, it is logical to make those ports default to RA allowed while defaulting to not allowing RAs from other ports by default. Owen