On Dec 30, 2013, at 6:56 PM, Owen DeLong <o...@delong.com> wrote: > You can accomplish the same thing in IPv4…. > > Plug in Sally’s PC with Internet Connection Sharing turned on and watch as her > DHCP server takes over your network.
No, the failure mode is still different.
With IPv6 RA's, the rouge router breaks all hosts on the LAN with a single
broadcast.
With a rogue DHCP server no currently working clients will stop working. In
fact many will do directed renews, and never notice said rogue server. It is
only a freshly booted host that might be captured by a rogue DHCP server.
In a corporate environment the difference between one user getting a rogue DHCP
server, being down, and asking for troubleshooting, and taking out an entire
department/floor/office is enormous.
> Yes, you have to pay attention when you plug in a router just like you’d have
> to pay attention if you plugged in a DHCP server you were getting ready to
> recycle.
>
> Incompetence in execution really isn’t the protocol’s fault.
We can't work around incompetent admins. Even the best humans goof from time
to time.
What we can do is design protocols that are robust, or not in the face of
stupidity and accident.
I should tell you about the time rogue RA's took down a data center network
because in the middle of the night the tech I was talking to couldn't tell if I
said port "fifteen" or port "fifty" over the phone, and thus plugged the router
into the wrong network taking down several hundred hosts. The IPv4 side was
fine for the 30 seconds or so until we straightened it out.
There's a reason why there's huge efforts to put RA guard in switches, and do
cryptographic RA's. These are two admissions that the status quo does not work
for many folks, but for some reason these two solutions get pushed over a
simple DHCP router assignment option.
--
Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
signature.asc
Description: Message signed with OpenPGP using GPGMail
