[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
bohn at adelphi.edu
Fri Aug 24 01:58:26 CEST 2012
Hello, Two comments to items in the thread:
Jim Small jim.small at cdw.com
9:04 AM (10 hours ago)
S<snip>That said, in the space I work in Cisco and Microsoft have done
IMHO a pretty good job addressing the issues.
I respectfully disagree about Cisco (MS too, but not knowledgeable enough
to comment on Microsoft). Recently-purchased Cisco Access-layer switches
(3560) do NOT support RA guard. Unless it has been implemented in past 6
mos, it was only the chassis type switches (6500 & 4500) supporting RA
The very latest code for the nexus 7K still does not support dhcpv6 relay.
From what I read, dhcpv6 is still solidifying, so perhaps understandable.
The lack of RA guard on the mid-range switches is really disappointing.
Here, students in the dorms don't need to jack into a 6500 to get to
facebook/youtube/gmail (and we don't have the budget for it), but it would
be nice to prevent them from mis-configuring something and advertising
themselves as the router.
On Thu, Aug 23, 2012 at 2:28 PM, Fernando Gont <fgont at si6networks.com>wrote:
> On 08/23/2012 12:42 PM, Owen DeLong wrote:
> > The reality, however, is that snooping doesn't solve the problem, it
> > just tells you that it is happening.
> ?? -- It blocks it.
> So, as I understand it DAI (Dynamic Arp Inspection) provides the blocking
of arp-spoofing MIM attacks; dhcp snooping does the tracking and does block
dhcp replies from non-allowed ports. Hmmm, so as I think about it, RA
Guard will prevent a node from advertising itself as a router, in the same
way that DHCP Snooping prevents an unauthorized node from answering dhcp
requests. Will RA Guard stop a malicious end-point from spoofing the
actual router's mac addr or ipv6 addr?
Started out thinking I knew something, now am confused ;-(.
Or perhaps the Neighbor Discovery process itself prevents that? Or do we
need to do something like DAI, DNDI? Most of the MIM tools (I am thinking
Cain and Abel & ettercap) send out gratuitous arps. Is this kind of thing
possible with IPV6 Neighbor Disovery?
More information about the Ipv6hackers