[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] DHCPv6 router option

To: Frank Sweetser <fs at WPI.EDU>, Hemant Singh <shemant at cisco.com>, "int-area at ietf.org" <int-area at ietf.org>
Subject: Re: [dhcwg] DHCPv6 router option
From: John Jason Brzozowski <john_brzozowski at cable.comcast.com>
Date: Mon, 23 Mar 2009 17:38:36 -0700
Cc: dhc WG <dhcwg at ietf.org>, Ted Lemon <Ted.Lemon at nominum.com>, Ralph Droms <rdroms at cisco.com>
Delivered-to: dhcwg at core3.amsl.com
In-reply-to: <49C828E9.9090002 at wpi.edu>
List-archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: <dhcwg.ietf.org>
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
Thread-index: AcmsF13MsQa8SJwYRVW3X5nBZSEhHwAAYAsp
Thread-topic: [dhcwg] DHCPv6 router option
User-agent: Microsoft-Entourage/12.10.0.080409

Frank,

Are you suggesting we specify a way in DHC to prevent people from improperly
configuring their DHCPv6 servers?

John
=========================================
John Jason Brzozowski
Comcast Corporation
e) mailto:john_brzozowski at cable.comcast.com
m) 609-377-6594
=========================================


> From: Frank Sweetser <fs at WPI.EDU>
> Date: Mon, 23 Mar 2009 20:27:21 -0400
> To: Hemant Singh <shemant at cisco.com>
> Cc: dhc WG <dhcwg at ietf.org>, Ted Lemon <Ted.Lemon at nominum.com>, Ralph Droms
> <rdroms at cisco.com>
> Subject: Re: [dhcwg] DHCPv6 router option
> 
> Hemant Singh (shemant) wrote:
>>> * "RA guard" to filter and limit the scope of misconfigured RAs
>>> * a DHCP option, to be sent with the initial DHCP message exchange,
>>> signaling the host to ignore all future RAs
>> 
>>> We need to continue the discussion; let's focus on how to allow both
>>> methods of configuration to coexist.
>> 
>> 
>> Ralph,
>> 
>> You see one obvious problem here?  With only ND and RA we have a RA
>> guard solution to deal with for rouge RAs or misconfigured RAs.  With
>> DHCPv6 option now we have to think of two solutions for most such
>> problems in an IPv6 network.  Interesting use of our times....
> 
> Leaving the router option out of DHCPv6 only means that you don't have to
> protect against a rogue/misconfigured router DHCP option.  Unfortunately, it
> doesn't get you off the hook for all of the other ways that DHCpv6 can be
> abused or misconfigured.
> 
> As a real world example, there is at least one family of viruses in the wild
> that uses a local DHCP server.  It maliciously reconfigures other hosts on the
> local subnet with a rogue DNS server, which in turn is used to trick web
> browsers into viewing pages loaded with exploits.
> 
> Crippling DHCPv6 by leaving out a router option may remove one way that DHCP
> can be used to break a network, but it doesn't eliminate the requirement the
> need for a v6 DHCP guard - without it there are still too many ways to play
> silly buggers with the local subnet.
> 
> --
> Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
> WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL Mencken
>      GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC
> _______________________________________________
> dhcwg mailing list
> dhcwg at ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg

Follow-Ups:
- Re: [dhcwg] DHCPv6 router option
  - From: Frank Sweetser

References:
- Re: [dhcwg] DHCPv6 router option
  - From: Frank Sweetser

Prev by Date: Re: [dhcwg] DHCPv6 router option
Next by Date: Re: [dhcwg] DHCPv6 router option
Previous by thread: Re: [dhcwg] DHCPv6 router option
Next by thread: Re: [dhcwg] DHCPv6 router option
Index(es):
- Date
- Thread