Test your connectivity for World IPv6 Day
Nick Hilliard
nick at foobar.org
Wed Jun 8 21:21:57 CEST 2011
On 08/06/2011 18:17, Tony Finch wrote:
> We have had a little excitement caused by rogue RAs:
>
> http://fanf.livejournal.com/113996.html
This issue is really no different to rogue dhcp servers appearing on
internal networks in the late 1990s or rogue RIP speakings appearing on
networks in the late 80s / early 90s. It's a layer 2 problem and must be
treated as such.
And at some stage in the future, we will realise that people will start ND
spoofing too, and then the L2 kit manufacturers will suddenly realise that
they need to implement the v6 equivalent of DAI6.[1]
On a related issue, all this recent media / blog hoo-hah about RA spoofing
and such like is really driving me up the wall. It's not a new problem as
lots of people seems to want to pretend. It's an ancient problem which the
switch manufacturers have almost entirely neglected to deal with - except
for a very small number of models produced by a handful of vendors.[2]
Nick
[1] in a couple of years time, someone will claim to have "discovered" a
hugely serious problem with ipv6 neighbor cache spoofing, and will lambaste
the protocol as being inherently insecure, or perhaps lambaste their vendor
of choice for making a balls of the protocol implementation,
yadda-yadda-yadda. When this happens, I will roll my eyes in their
sockets, clench my teeth, sigh heavily and wonder at the incredible
inability of people not to learn the simplest lessons.
[2] vendors: please fix your kit to support RA guard. This is now urgent.
More information about the ipv6-ops
mailing list