Test your connectivity for World IPv6 Day

Nick Hilliard nick at foobar.org
Wed Jun 8 21:21:57 CEST 2011

On 08/06/2011 18:17, Tony Finch wrote:
> We have had a little excitement caused by rogue RAs:
> http://fanf.livejournal.com/113996.html

This issue is really no different to rogue dhcp servers appearing on 
internal networks in the late 1990s or rogue RIP speakings appearing on 
networks in the late 80s / early 90s.  It's a layer 2 problem and must be 
treated as such.

And at some stage in the future, we will realise that people will start ND 
spoofing too, and then the L2 kit manufacturers will suddenly realise that 
they need to implement the v6 equivalent of DAI6.[1]

On a related issue, all this recent media / blog hoo-hah about RA spoofing 
and such like is really driving me up the wall.  It's not a new problem as 
lots of people seems to want to pretend.  It's an ancient problem which the 
switch manufacturers have almost entirely neglected to deal with - except 
for a very small number of models produced by a handful of vendors.[2]


[1] in a couple of years time, someone will claim to have "discovered" a 
hugely serious problem with ipv6 neighbor cache spoofing, and will lambaste 
the protocol as being inherently insecure, or perhaps lambaste their vendor 
of choice for making a balls of the protocol implementation, 
yadda-yadda-yadda.  When this happens, I will roll my eyes in their 
sockets, clench my teeth, sigh heavily and wonder at the incredible 
inability of people not to learn the simplest lessons.

[2] vendors: please fix your kit to support RA guard.  This is now urgent.

More information about the ipv6-ops mailing list