{SPAM?} Re: IPv6 Deployment for the LAN

[bicknell at ufp.org (Leo Bicknell)]

In a message written on Thu, Oct 22, 2009 at 03:23:13PM -0400, Ray Soucy wrote:
> If the argument against RA being used to provide gateway information
> is "rogue RA," then announcing gateway information though the use of
> DHCPv6 doesn't solve anything.  Sure you'll get around rogue RA, but
> you'll still have to deal with rogue DHCPv6.  So what is gained?

It's a huge difference, and any conference network shows it.

Let's assume 400 people come into a room, get up and working (with
DHCPv4, and IPv6 RA's).  

Someone now introduces a rogue IPv4 server.  Who breaks?  Anyone who
requests a new lease.  That is 400 people keep working just fine.

Now, someone introduces a roge RA.  Who breaks?  All 400 users are
instantly down.

More importantly, there is another class of misconfigured device.  I
plugged in a Cisco router to download new code to it on our office
network.  It had a DHCP forward statement, and IPv6.  It was from
another site.

The DHCP forward didn't work, it pointed to something non-existant that
also was never configured for the local subnet.  There was zero chance
of IPv4 interfearance.

The IPv6 network picked up the RA to a router with no routes though, and
so simply plugging in the old router took down the entire office
network.

The operational threats of a DHCP based network and a RA based network
are quite different.  Try it on your own network.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091022/7f048fe5/attachment.bin>