Re: [dhcwg] DHCPv6 router option

[Frank Sweetser <fs at WPI.EDU>]

Ted Lemon wrote:
> On Mar 11, 2009, at 9:53 AM, sthaug at nethelp.no wrote:
>> I strongly disagree with your disagreement.
> 
> This is a major hot-button issue.   People have extremely strong  
> opinions about it.   It happens that although you and Iljitsch  
> disagree on what to do, you both have valid points.   At the same  
> time, you appear to be talking past each other.
> 
> What appears to be worrying Iljitsch, which you do not appear to be  
> concerned about, is that if a DHCPv6 client is receptive to this  
> option, it will trust it even when it is wrong, not just on your  
> network but on his.   So adoption of this option affects Iljitsch just  
> as much as it affects you - he can't "opt out."

Just to throw some more sand in the gears, there's also no guarantee that the
RAs your clients are hearing are usable for them.  Just last week, I had all
IPv6 enabled clients in one subnet lose connectivity.  After some digging
around, it turned out that an XP box had began sending RAs, advertising its
link local address as a default gateway.  Once you allow fumble-fingered
admins into the equation, not much is safe.

When SOHO devices from Linksys and Netgear start appearing with IPv6 support,
it's inevitable that those of us running EDU networks with dorms will have to
deal with students plugging them in the wrong way around, just as they have
been doing for many years.  While this may be a "new" problem in that it uses
RA to break the subnet, it's really not different from using DHCPv4 or ARP.  I
strongly suspect that in the end the switch vendors are going to have to
create v6 analogues to the ARP and DHCP rogue server prevention features
they've already implemented for v4.

> Similarly, your requirement, which Iljitsch does not agree with, is  
> that on some networks, managing what gets sent in RAs is a lot more  
> work than managing what gets sent by the DHCP server.   DHCP provides  
> you with a central control point, whereas RAs are necessarily  
> configured in the router.

To expand on this point more, if you have multiple routers on a subnet, it's
quite conceivable that different administrative categories of clients should
be directed as specific routers.  This could be for QoS, bandwidth costs,
quarantine networks, or other odd site specific requirements.  Sending a
router list via DHCP would allow for an administrator to customize the router
list per client, something which isn't possible to do when the client is
simply rounding up RAs.

> As I say, I don't know if you can reach any kind of rapprochement, but  
> I think this is the heart of your disagreement, and I think that this  
> conflict is well understood by the working group.   It would be nice  
> if there were some way for Iljitsch to opt out that still allowed you  
> to get what you want, but I'm not sure that there is, which is what  
> makes this a contentious discussion.

A couple of other posts have suggested ways in which the MO bits can be used
to effective tell clients not to use the RA to set up the default gateway.  At
least from my point of view (I would prefer a DHCP only method in my network,
though I can easily see how using RA would have advantages elsewhere) that
would be perfectly acceptable, as it means that I can effectively control
which data source my clients are using.

-- 
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC