Home page logo

nanog logo nanog mailing list archives

Re: turning on comcast v6
From: "Ricky Beam" <jfbeam () gmail com>
Date: Mon, 06 Jan 2014 15:57:00 -0500

On Sat, 04 Jan 2014 14:03:21 -0500, Owen DeLong <owen () delong com> wrote:
A router, yes. THE router, not unless the network is very stupidly put together.

Like every win7 and win8 machine on the planet? (IPv6 is installed and enabled by default. Few places have IPv6 enabled on their LAN, so a single RA would, indeed, 0wn3z those machines instantly.)

I disagree. Unlike with DHCP guard, RA guard can make reasonable predictions in most cases. Switches with “uplink” ports designated, for example, could easily default to permitting RAs only from those ports.

One cannot **GUESS** the security for a network. You must either *know* or *not know* what's on a port. What makes a port "uplink" (read: "trusted")? The only way to know for sure, without creating surprises or exploitable holes, is make the ADMIN explicitly SET EACH PORT. That's the way DHCP Guard works. That's the way spanning-tree portfast, bpdu guard, root guard, etc., etc. works. That's the way port security works. And that's the way RA Guard WILL be done.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]