[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dhcwg] [Int-area] DHCPv6 router option

To: Frank Sweetser <fs at WPI.EDU>
Subject: Re: [dhcwg] [Int-area] DHCPv6 router option
From: Danny Mayer <mayer at ntp.org>
Date: Sun, 29 Mar 2009 13:32:00 -0400
Cc: dhc WG <dhcwg at ietf.org>, "int-area at ietf.org" <int-area at ietf.org>, Ted Lemon <Ted.Lemon at nominum.com>
Delivered-to: dhcwg at core3.amsl.com
In-reply-to: <49C82F3F.8070902 at wpi.edu>
List-archive: <http://www.ietf.org/mail-archive/web/dhcwg>
List-help: <mailto:dhcwg-request@ietf.org?subject=help>
List-id: <dhcwg.ietf.org>
List-post: <mailto:dhcwg@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
Organization: NTP
References: <C5ED799C.9EF1C%john_brzozowski at cable.comcast.com> <49C82F3F.8070902 at wpi.edu>
Reply-to: mayer at ntp.org
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

Frank Sweetser wrote:
> John Jason Brzozowski wrote:
>> Frank,
>>
>> Are you suggesting we specify a way in DHC to prevent people from
>> improperly
>> configuring their DHCPv6 servers?
> 
> Not at all.  I run a network full of students, so I'm thoroughly aware
> of the futility of assuming that all of your clients are well behaved
> ones =)
> 
> My point simply was that, in any network full of untrusted hosts, there
> are multiple ways for a rogue DHCP server to cause network problems,
> regardless of the existence or lack of a router DHCPv6 option.  If
> you're at all concerned about rogue DHCPv6 servers, then you absolutely
> need some form of switch based "DHCP guard" - a filter applied to all
> edge ports which prevents them from sending out the rogue DHCP
> advertisements.
> 
> So in other words, with or without the DHCPv6 router option, you still
> have to spend the time on a DHCP guard or you're going to be vulnerable
> to rogue DHCP servers.
> 

There's already a virus in the wild that is doing this. See
Trojan.Flush.M. In fact Googling for this shows that there is a new
version out:
http://arstechnica.com/security/news/2009/03/new-version-of-dns-server-trojan-flushm-spotted-in-the-pipe.ars

Though this is more about using DHCP guard everywhere.

Danny


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Follow-Ups:
- Re: [dhcwg] [Int-area] DHCPv6 router option
  - From: David W. Hankins

References:
- Re: [dhcwg] DHCPv6 router option
  - From: John Jason Brzozowski
- Re: [dhcwg] DHCPv6 router option
  - From: Frank Sweetser

Prev by Date: [dhcwg] FW: New Version Notification for draft-brzozowski-dhcp-eap-analysis-00
Next by Date: Re: [dhcwg] [Int-area] DHCPv6 router option
Previous by thread: Re: [dhcwg] DHCPv6 router option
Next by thread: Re: [dhcwg] [Int-area] DHCPv6 router option
Index(es):
- Date
- Thread