[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Tim Chown tjc at ecs.soton.ac.uk
Thu Sep 6 15:39:42 CEST 2012 

On 6 Sep 2012, at 03:47, Jim Small <jim.small at cdw.com> wrote:

> Hi Tim,
>> 
>> We've found the Cisco first hop security implementation in their WLCs
>> problematic.  Hopefully the new 7.3 builds just released will fix this.
> 
> Just curious, can you share specifics?

I will try to dig them out.  We're deploying 7.3 very soon, so can see what changes that brings (from 7.2.x).  I think the general issue was with RAs not getting where they should, if you have SSIDs built from multiple VLANs.  Going to 7.3 will also fix a significant Windows 8 driver issue for their WLC/APs.

>> 
>> When I poll audiences of university network people, about half the hands go
>> up when I ask who uses DHCP snooping.
> 
> I'm actually very happy to hear that.  I am a fan of L2 security as it prevents a lot of threats and problems.  Lately I have experienced a resurgence of interest on the LAN side for 802.1X which I think is great.  The challenge specifically with DHCP snooping/DAI/IPSG is I two fold:
> 1)  I have seen it break some applications.  For example, I believe we had problems with Bonjour of some Apple protocol/application.  In fact, this was in a large school campus.  The school just wanted to disable the security in favor of all Apple Apps working.  I'm not trying to pick on Apple alone, but this is a common problem.  Convincing customers to dig in and find a solution can be a challenge as sometimes the solutions take a fair amount of time.  How do you deal with protocol/application incompatibilities?
> 2)  Education - Using things like DHCP snooping/DAI/IPSG requires a better understanding of the network and how things work.  You need to understand DHCP snooping for example if you want to move your DHCP server.  While I can walk someone through how to do this, 6 months later they forgot, lost the documentation and are furious that they're taking an outage because for some reason DHCP doesn't work.

At least in the UK academic sites, eduroam is quite widespread, in maybe 150-200 sites, so admins are used to 802.1X, and some are (or have already) extending it to wired points.

> This gets back to the age old question of how do you inspire people to take their game to the next level with their network expertise and to proactively monitor their networks to mitigate security threats.  Any takers?  :-)

Well, yes :)

Tim

More information about the Ipv6hackers mailing list