On Wednesday, May 14, 2003, at 03:10 PM, Bill Cerveny wrote:

This was also the engineer's point -- he felt IPv4 DHCP was broken in this manner and this broken behavior was being perpetuated via IPv6 router advertisements.

Well, the only solutions are really:

        a) Static adressing
        b) Signed announcements, with replay protection
        c) layer-three switches to only allow announcements from certain

(c) is the only solution that doesn't nullify the benefits of autoconf, but it's expensive. (b) requires configuration on each host, and possibly even a lot of state keeping (for replay prevention) which defeats the autoconf goal.

If people on your networks can set up DHCP servers, IPv6 RA's, etc., then you shouldn't use those services on your network. Or just beware that it can happen.

Of course, they could just send out spoofed ARP replies, evil ICMP redirects, etc. to cause the same problems.

Reply via email to