[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
Owen DeLong
owend at he.net
Fri Aug 24 01:29:14 CEST 2012
On Aug 23, 2012, at 11:28 , Fernando Gont <fgont at si6networks.com> wrote:
> On 08/23/2012 12:42 PM, Owen DeLong wrote:
>>> no, thats not the point. the point is that the implementations are
>>> not where they should be for a global productional roleout.
>>
>> Neither is IPv4... That _IS_ the point. We rolled IPv4 out without
>> worrying about it.
>
> The world economy didn't depend on IPv4 when it was rolled out -- there
> lies the "subtle" difference.
>
However, note that I said "Neither _IS_ IPv4". Not neither "WAS" IPv4.
IPv4 still isn't where it should be for a global production rollout in terms
of security issues.
>
>> The reality, however, is that snooping doesn't solve the problem, it
>> just tells you that it is happening.
>
> ?? -- It blocks it.
>
Oh, you're talking about in the switch. Well, sort-of... But the rogue packet
has to traverse a device that does DHCP snooping which isn't always
implemented on all WAPs.
I was thinking of the DHCPMON thing that takes collects all the responses
and alarms on ones it doesn't expect. (actual snooping).
DHCP snooping sort of works in most environments. Lots of corner cases
where it can fail, though. Sometimes in very interesting ways. I've seen it
block things it shouldn't on more than one network.
>
>
>> With RA Guard, we have an actual partial solution which, with some
>> improved handling of Extension Headers and Fragments could become a
>> complete solution.
>
> Yet it was painful to move draft-ietf-v6ops-ra-guard-implementation forward.
>
I think it's painful to move any ietf draft forward. What's your point? That's the
process.
> v6 proponents (whatever that means :-) )don't like when v6 problems are
> discussed... but they're also apathic when solutions to those problems
> are proposed.
I think I'm about as much of a v6 proponent as anyone. However, I don't
think that I have tried to avoid discussing v6 problems, nor do I think I have
been apathetic (which is what I presume you meant by apathic) about
solutions, either.
I still think that telling people not to deploy or to delay their deployments
is bad advice and I'll still call people on it when I see that.
Owen
More information about the Ipv6hackers
mailing list