[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Dennis Bohn bohn at adelphi.edu
Fri Aug 24 01:58:26 CEST 2012 

Hello, Two comments to items in the thread:


 Jim Small jim.small at cdw.com
 9:04 AM (10 hours ago)
   to ipv6hackers
  S<snip>That said, in the space I work in Cisco and Microsoft have done
IMHO a pretty good job addressing the issues.

I respectfully disagree about Cisco (MS too, but not knowledgeable enough
to comment on Microsoft).  Recently-purchased Cisco Access-layer switches
(3560) do NOT support RA guard.  Unless it has been implemented in past 6
mos, it was only the chassis type switches (6500 & 4500) supporting RA
guard.

The very latest code for the nexus 7K still does not support dhcpv6 relay.
 From what I read, dhcpv6 is still solidifying, so perhaps understandable.
 The lack of RA guard on the mid-range switches is really disappointing.
 Here, students in the dorms don't need to jack into a 6500 to get to
facebook/youtube/gmail (and we don't have the budget for it), but it would
be nice to prevent them from mis-configuring something and advertising
themselves as the router.

On Thu, Aug 23, 2012 at 2:28 PM, Fernando Gont <fgont at si6networks.com>wrote:

> On 08/23/2012 12:42 PM, Owen DeLong wrote:
>
> > The reality, however, is that snooping doesn't solve the problem, it
> > just tells you that it is happening.
>
> ?? -- It blocks it.
>
> So, as I understand it DAI (Dynamic Arp Inspection) provides the blocking
of arp-spoofing MIM attacks; dhcp snooping does the tracking and does block
dhcp replies from non-allowed ports.  Hmmm, so as I think about it, RA
Guard will prevent a node from advertising itself as a router, in the same
way that DHCP Snooping prevents an unauthorized node from answering dhcp
requests.  Will RA Guard stop a malicious end-point from spoofing the
actual router's mac addr or ipv6 addr?

Started out thinking I knew something, now am confused ;-(.

Or perhaps the Neighbor Discovery process itself prevents that?  Or do we
need to do something like DAI, DNDI?  Most of the MIM tools (I am thinking
Cain and Abel & ettercap) send out gratuitous arps.  Is this kind of thing
possible with IPV6 Neighbor Disovery?

best,
dennis bohn

More information about the Ipv6hackers mailing list