Hemant Singh (shemant) wrote:
* "RA guard" to filter and limit the scope of misconfigured RAs* a DHCP option, to be sent with the initial DHCP message exchange, signaling the host to ignore all future RAsWe need to continue the discussion; let's focus on how to allow both methods of configuration to coexist.Ralph, You see one obvious problem here? With only ND and RA we have a RA guard solution to deal with for rouge RAs or misconfigured RAs. With DHCPv6 option now we have to think of two solutions for most such problems in an IPv6 network. Interesting use of our times....
Leaving the router option out of DHCPv6 only means that you don't have to protect against a rogue/misconfigured router DHCP option. Unfortunately, it doesn't get you off the hook for all of the other ways that DHCpv6 can be abused or misconfigured.
As a real world example, there is at least one family of viruses in the wild that uses a local DHCP server. It maliciously reconfigures other hosts on the local subnet with a rogue DNS server, which in turn is used to trick web browsers into viewing pages loaded with exploits.
Crippling DHCPv6 by leaving out a router option may remove one way that DHCP can be used to break a network, but it doesn't eliminate the requirement the need for a v6 DHCP guard - without it there are still too many ways to play silly buggers with the local subnet.
--
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC