Home page logo

nanog logo nanog mailing list archives

Re: IPv6 RA vs DHCPv6 - The chosen one?
From: Ray Soucy <rps () maine edu>
Date: Fri, 23 Dec 2011 15:09:02 -0500

On Fri, Dec 23, 2011 at 2:51 PM, Tomas Podermanski <tpoder () cis vutbr cz> wrote:

That is true, but we know solution for IPv4 (DHCP snooping, ARP
protection, source address validation) and there are access switches on
the market having that security features. Switches supporting such
features for IPv6 are usually much more expensive. And there is another
problem. Although you have money for that hardware it does not protect
you against malicious attacks.

Yes, and over time similar Layer-2 security features will become
available for IPv6 by default.  The more people who work to deploy
IPv6 and express these concerns to vendors, the more likely vendors
are to give them priority.

RA Guard is one such example where vendors have responded to community
concerns and have begun to implement the functionality.

All these problems exist for IPv4, and I would go as far as to say
that the vast majority of networks don't even implement things like
ARP inpsection, DHCP snooping, IP source verification, UUFB, etc.
They're things that dramatically increase network stability, and
things that are used by those of us who run larger networks, but they
are certainly not typical by any measure.

Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]