[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Tue Aug 28 16:15:48 CEST 2012

Dennis and others,

[Sorry for such a late reply]

With my Cisco hat, I would like to add that 15.0(2)SE does bring RA-guard to Cat 3560 since 10 days or so. Late, very late but at least it is there. Other Cisco switches should follow in the coming months. The caveat is that some old switches do not have the hardware required to do it... So, an forklift upgrade will be required. And, I share your pain about Nx7K (and you could find others)

Without my Cisco hat...

IETF has now several 'SAVI' (source address validation improvement) RFC/I-D and we can expect that all vendors will implement those RFC. BTW, I still see a lot of networks running IPv4 without any security at the layer-2: no DHCP snooping, no dynamic ARP inspection, ... And do not get me started on the security of most of the WiFi hotspot...

I have hope that the IETF will adopt Fernando's I-D of making illegal all fragmented packets where the layer-4 header is not in first fragment. Then stateless devices (switches & routers) will be allowed to drop 'undetermined-transport' packets.

Also, IPv6 is here on the Internet, will be here on the intranet (actually is ALREADY there as we all know). Just do education, make a conscious decision about IPv6 in the intranet (good to deploy to get visibility and control IMHO).

Regards

-éric

> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Dennis Bohn
> Sent: vendredi 24 août 2012 01:58
> To: IPv6 Hackers Mailing List
> Subject: Re: [ipv6hackers] "Stick to limited IPv6 deployments,
> businesses warned"
> 
> Hello, Two comments to items in the thread:
> 
> 
>  Jim Small jim.small at cdw.com
>  9:04 AM (10 hours ago)
>    to ipv6hackers
>   S<snip>That said, in the space I work in Cisco and Microsoft have done
> IMHO a pretty good job addressing the issues.
> 
> I respectfully disagree about Cisco (MS too, but not knowledgeable
> enough to comment on Microsoft).  Recently-purchased Cisco Access-layer
> switches
> (3560) do NOT support RA guard.  Unless it has been implemented in past
> 6 mos, it was only the chassis type switches (6500 & 4500) supporting RA
> guard.
> 
> The very latest code for the nexus 7K still does not support dhcpv6
> relay.
>  From what I read, dhcpv6 is still solidifying, so perhaps
> understandable.
>  The lack of RA guard on the mid-range switches is really disappointing.
>  Here, students in the dorms don't need to jack into a 6500 to get to
> facebook/youtube/gmail (and we don't have the budget for it), but it
> would be nice to prevent them from mis-configuring something and
> advertising themselves as the router.
> 
> On Thu, Aug 23, 2012 at 2:28 PM, Fernando Gont
> <fgont at si6networks.com>wrote:
> 
> > On 08/23/2012 12:42 PM, Owen DeLong wrote:
> >
> > > The reality, however, is that snooping doesn't solve the problem, it
> > > just tells you that it is happening.
> >
> > ?? -- It blocks it.
> >
> > So, as I understand it DAI (Dynamic Arp Inspection) provides the
> > blocking
> of arp-spoofing MIM attacks; dhcp snooping does the tracking and does
> block dhcp replies from non-allowed ports.  Hmmm, so as I think about
> it, RA Guard will prevent a node from advertising itself as a router, in
> the same way that DHCP Snooping prevents an unauthorized node from
> answering dhcp requests.  Will RA Guard stop a malicious end-point from
> spoofing the actual router's mac addr or ipv6 addr?
> 
> Started out thinking I knew something, now am confused ;-(.
> 
> Or perhaps the Neighbor Discovery process itself prevents that?  Or do
> we need to do something like DAI, DNDI?  Most of the MIM tools (I am
> thinking Cain and Abel & ettercap) send out gratuitous arps.  Is this
> kind of thing possible with IPV6 Neighbor Disovery?
> 
> best,
> dennis bohn
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers