[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] DHCPv6 router option

To: John Jason Brzozowski <john_brzozowski at cable.comcast.com>
Subject: Re: [dhcwg] DHCPv6 router option
From: Frank Sweetser <fs at WPI.EDU>
Date: Mon, 23 Mar 2009 20:54:23 -0400
Cc: dhc WG <dhcwg at ietf.org>, "int-area at ietf.org" <int-area at ietf.org>, Ted Lemon <Ted.Lemon at nominum.com>, Ralph Droms <rdroms at cisco.com>
Delivered-to: dhcwg at core3.amsl.com
In-reply-to: <C5ED799C.9EF1C%john_brzozowski at cable.comcast.com>
List-archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: <dhcwg.ietf.org>
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
References: <C5ED799C.9EF1C%john_brzozowski at cable.comcast.com>
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

John Jason Brzozowski wrote:

Frank,

Are you suggesting we specify a way in DHC to prevent people from improperly
configuring their DHCPv6 servers?

Not at all. I run a network full of students, so I'm thoroughly aware of thefutility of assuming that all of your clients are well behaved ones =)

My point simply was that, in any network full of untrusted hosts, there aremultiple ways for a rogue DHCP server to cause network problems, regardless ofthe existence or lack of a router DHCPv6 option. If you're at all concernedabout rogue DHCPv6 servers, then you absolutely need some form of switch based"DHCP guard" - a filter applied to all edge ports which prevents them fromsending out the rogue DHCP advertisements.

So in other words, with or without the DHCPv6 router option, you still have tospend the time on a DHCP guard or you're going to be vulnerable to rogue DHCPservers.


--
Frank Sweetser fs at wpi.edu  |  For every problem, there is a solution that
WPI Senior Network Engineer   |  is simple, elegant, and wrong. - HL Mencken
    GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC

Follow-Ups:
- Re: [dhcwg] [Int-area] DHCPv6 router option
  - From: Danny Mayer

References:
- Re: [dhcwg] DHCPv6 router option
  - From: John Jason Brzozowski

Prev by Date: Re: [dhcwg] DHCPv6 router option
Next by Date: Re: [dhcwg] BBF and DHCP auth, was: We really mean it this time *FINAL* agendafor dhc WG meeting
Previous by thread: Re: [dhcwg] DHCPv6 router option
Next by thread: Re: [dhcwg] [Int-area] DHCPv6 router option
Index(es):
- Date
- Thread