North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: v6 subnet size for DSL & leased line customers

  • From: Tony Li
  • Date: Wed Dec 26 13:24:27 2007

On Dec 26, 2007, at 8:26 AM, Leo Bicknell wrote:

In a message written on Tue, Dec 25, 2007 at 12:43:45AM -0500, Kevin Loch wrote:
RA is a shotgun. All hosts on a segment get the same gateway. I have
no idea what a host on multiple segments with different gateways would
do. Hosting environments can get complex thanks to customer

I would like to point out that in IPv4 we have ICMP Router
Advertisement messages. I have never seen them used on a production
network. I know one of the worries is security, that a compromised host
could send out advertisements, drawing traffic to it that it can then
snoop and pass on to the real gateway.

Having not looked in great detail, I am unclear if IPv6 has done
something to fix this concern or not.

Is this feature going to get turned off when the first worm comes along
that spoofs RA's

It's unlikely that it will matter. In practice, ICMP router discovery died a long time ago, thanks to neglect. Host vendors didn't adopt it, and it languished. The problem eventually got solved with HSRP and its clone, VRRP.

This doesn't resolve the real underlying problem: Ethernet is inherently insecure. MAC addresses can be forged, protocols (ARP, ND) can be forged and at this point, there's not much that we can do about it. Architecturally, we need authentication over each and every control plane packet sent. Getting there without invoking the full complexity of a public key infrastructure is still an unsolved problem, AFAIK.