Re: Why has RFC 4941 been designed in such a way, that it might cause address conflicts?

[Brian Haley <brian.haley@hp.com>]

On 03/16/2011 07:06 AM, Markus Hanauska wrote:
> 
> On 2011-03-16, at 11:27 , Philip Homburg wrote:
> 
>> You look up the MAC address for that IPv6 address and then block the MAC
>> address on your switches. Problem solved.
> 
> Sure, that will work. However, that means I have to invest time and work to solve a problem, that would have easily been avoidable by a tiny standard change and that did not arise because anyone made a mistake, it just has been recklessly accepted by the standard creators, because it seemed unlikely. And this is a lot of work, since I cannot block it globally, but I have to work my way through all our managed switches and I will get a problem on some parts of the network, where unmanaged switches are used, which I might have to reboot after blocking to flush their address cache.

But you have to be able to do this anyways, because someone *is* going to
configure a system wrong and cause big problems, you can't assume an RFC
will protect you.  It's even extremely easy to disable DAD and manually
configure an address on a lot of systems - what will you do then?  If you
can't secure the configuration on a host, and you can't typically, you
have to do it in the infrastructure where you *do* control everything.

If I had $1 for every time I had to track-down a system configured as
a default IPv6 router and sending bogus advertisements out, well, I'd have
about $10 :)  That's what happens when people google 'ipv6 configuration'
and blindly cut/paste commands...

-Brian