On Thu, 23 Jun 2011, Mark Smith wrote:
Hub-and-spoke or point-to-point reachability is what they want. If it is
possible to enforce a hub-or-spoke topology on an Ethernet LAN by
preventing the 1-to-many or 1-to-any capability, in effect making it an
NBMA link-layer, or creating a
On Wed, 22 Jun 2011, Ted Lemon wrote:
So if in fact it is impossible for RA to be adequately secured on an
ethernet, then we need to fix RA, or come up with a different solution,
not slap a bandage on it and call it done.
I don't see how it can be fixed. Short of encrypting all traffic and
Subject:
Re: [v6ops] Question regarding RA-Guard evasion (ND and extension
headers)
From:
Ted Lemon ted.le...@nominum.com
Date:
Wed, 22 Jun 2011 20:56:52 -0400
To:
Mark Smith i...@69706e6720323030352d30312d31340a.nosense.org
CC:
v6...@ietf.org, ipv6@ietf.org
Content-Transfer-Encoding:
On 23 Jun 2011, at 08:03, Mikael Abrahamsson wrote:
Securing L2 networks is something not generally done today in enterprise and
surprisingly often in SP environments as well. This can be seen by all the
problems reported by Windows ICS v6 RA:s being sent out and causing problems
to other
Mikael Abrahamsson wrote:
On Thu, 23 Jun 2011, Ray Hunter wrote:
too. But RA Guard should not be a prerequisite for reliably setting
of a default route on Ethernet, simply because corporate LAN switches
generally have to last 5-10 years or so before being replaced.
I don't see 5-10 year
On Jun 23, 2011, at 2:36 AM, Mikael Abrahamsson wrote:
I don't see how it can be fixed. Short of encrypting all traffic and
pre-distributing keys, ethernet can't be fixed without the bandaids you
seem to call the measures being used widely to assure ethernet can in fact be
used securely.
Ted Lemon wrote:
There probably is no single solution. But let's consider the solution
Mark proposed: use the fact that you control the infrastructure to
control the flow of packets on the network in such a way that rogue RAs
cannot reach leaf nodes. The reason I object to this solution,
On Jun 23, 2011, at 4:40 PM, Manfredi, Albert E wrote:
Your solutions appear to be more client-oriented.
That's correct. Ultimately the security of the client depends on the client
being secure. Trying to secure the client by securing the network is a noble
cause, but ultimately doomed to
Ted Lemon wrote:
That's correct. Ultimately the security of the client depends on the
client being secure. Trying to secure the client by securing the
network is a noble cause, but ultimately doomed to failure, because you
can't control what networks the client connects to.
No, I think
On Jun 23, 2011, at 5:31 PM, Manfredi, Albert E wrote:
It is service providers that are interested in protecting their networks, in
this discussion. If they also happen to protect their clients, that is just a
nice byproduct.
That's fine for service providers, but service providers are not
On Jun 23, 2011, at 6:08 PM, Philip Homburg wrote:
Ideally, clients use end-to-end crypto to keep themselves secure, but the
network still has to be protected against denial of service attacks.
No, strictly speaking the *clients* need to be protected against DoS attacks.
One way to do this
For many years I just filtered out rogue RA's on my laptop at IETF.
I looked at which routers were advertising which prefixes and
configured a allow list in the firewall for those that looked correct
and denied the rest. Then I removed the bogus addresses, generated
as the result of those RA's,
Hi,
On Thu, 23 Jun 2011 16:30:37 -0400
Ted Lemon ted.le...@nominum.com wrote:
On Jun 23, 2011, at 2:36 AM, Mikael Abrahamsson wrote:
I don't see how it can be fixed. Short of encrypting all traffic and
pre-distributing keys, ethernet can't be fixed without the bandaids you
seem to call
On 6/23/11 15:30 CDT, Ted Lemon wrote:
On Jun 23, 2011, at 2:36 AM, Mikael Abrahamsson wrote:
I don't see how it can be fixed. Short of encrypting all traffic
and pre-distributing keys, ethernet can't be fixed without the
bandaids you seem to call the measures being used widely to
assure
On 06/22/2011 08:34 AM, Mark Smith wrote:
I think it is a bit ironic that if a L2 device has to parse all extension
headers, that then L2 switching of IPv6 packets will be more expensive that
L3 routing them.
It may be getting to the point where it'd probably be easier
to address these
Hi Fernando,
On Fri, 24 Jun 2011 00:17:01 -0300
Fernando Gont ferna...@gont.com.ar wrote:
On 06/22/2011 08:34 AM, Mark Smith wrote:
I think it is a bit ironic that if a L2 device has to parse all extension
headers, that then L2 switching of IPv6 packets will be more expensive that
L3
On Thu, 23 Jun 2011, Ted Lemon wrote:
Is there a way that someone who is not running 802.1x can demonstrate
that they control layer 2?
Doesn't 802.1x only control access as a non/off switch? As soon as you're
connected to the network, I thought it was back to flat L2 default
ethernet again?
On Thu, 23 Jun 2011, Manfredi, Albert E wrote:
It is service providers that are interested in protecting their
networks, in this discussion. If they also happen to protect their
clients, that is just a nice byproduct.
We want to protect the Internet from our customers, not our customers from
18 matches
Mail list logo