Re: v6 subnet size for DSL & leased line customers

In a message written on Tue, Dec 25, 2007 at 12:43:45AM
-0500, Kevin Loch wrote:
> RA is a shotgun.  All hosts on a segment get the same
gateway.  I have 
> no idea what a host on multiple segments with different
gateways would 
> do.  Hosting environments can get complex thanks to
customer

I would like to point out that in IPv4 we have ICMP Router
Advertisement messages.  I have never seen them used on a
production
network.  I know one of the worries is security, that a
compromised host
could send out advertisements, drawing traffic to it that it
can then
snoop and pass on to the real gateway.

Having not looked in great detail, I am unclear if IPv6 has
done
something to fix this concern or not.

Is this feature going to get turned off when the first worm
comes along
that spoofs RA's

-- 
       Leo Bicknell - bicknellufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bic
knell/
Read TMBG List - tmbg-list-requesttmbg.org, www.tmbg.org

* Leo Bicknell:

> In a message written on Tue, Dec 25, 2007 at 12:43:45AM
-0500, Kevin Loch wrote:
>> RA is a shotgun.  All hosts on a segment get the
same gateway.  I have 
>> no idea what a host on multiple segments with
different gateways would 
>> do.  Hosting environments can get complex thanks to
customer
>
> I would like to point out that in IPv4 we have ICMP
Router
> Advertisement messages.  I have never seen them used on
a production
> network.  I know one of the worries is security, that a
compromised host
> could send out advertisements, drawing traffic to it
that it can then
> snoop and pass on to the real gateway.

DHCP and ARP face the same issue.  That's why "one host
per subnet" is
so appealing.

On Dec 26, 2007, at 8:26 AM, Leo Bicknell wrote:

> In a message written on Tue, Dec 25, 2007 at 12:43:45AM
-0500,  
> Kevin Loch wrote:
>> RA is a shotgun.  All hosts on a segment get the
same gateway.  I  
>> have
>> no idea what a host on multiple segments with
different gateways  
>> would
>> do.  Hosting environments can get complex thanks to
customer
>
> I would like to point out that in IPv4 we have ICMP
Router
> Advertisement messages.  I have never seen them used on
a production
> network.  I know one of the worries is security, that a
compromised  
> host
> could send out advertisements, drawing traffic to it
that it can then
> snoop and pass on to the real gateway.
>
> Having not looked in great detail, I am unclear if IPv6
has done
> something to fix this concern or not.
>
> Is this feature going to get turned off when the first
worm comes  
> along
> that spoofs RA's
>


It's unlikely that it will matter.  In practice, ICMP router
 
discovery died a long time ago, thanks to neglect.  Host
vendors  
didn't adopt it, and it languished.  The problem eventually
got  
solved with HSRP and its clone, VRRP.

This doesn't resolve the real underlying problem: Ethernet
is  
inherently insecure.  MAC addresses can be forged, protocols
(ARP,  
ND) can be forged and at this point, there's not much that
we can do  
about it.  Architecturally, we need authentication over each
and  
every control plane packet sent.  Getting there without
invoking the  
full complexity of a public key infrastructure is still an
unsolved  
problem, AFAIK.

Tony