IETF Logo Mail Archive

Re: [v6ops] control and security of DHCP

joel jaeggli <joelja@bogus.com> Fri, 10 January 2014 19:08 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 474AC1AE148 for <v6ops@ietfa.amsl.com>; Fri, 10 Jan 2014 11:08:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.438
X-Spam-Level:
X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dzlENppS9H3x for <v6ops@ietfa.amsl.com>; Fri, 10 Jan 2014 11:08:15 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id E2D6D1AE12E for <v6ops@ietf.org>; Fri, 10 Jan 2014 11:08:14 -0800 (PST)
Received: from mb-aye.local (c-50-174-18-221.hsd1.ca.comcast.net [50.174.18.221]) (authenticated bits=0) by nagasaki.bogus.com (8.14.7/8.14.7) with ESMTP id s0AJ7xYB077098 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 10 Jan 2014 19:08:00 GMT (envelope-from joelja@bogus.com)
Message-ID: <52D0450A.2010707@bogus.com>
Date: Fri, 10 Jan 2014 11:07:54 -0800
From: joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:27.0) Gecko/20100101 Thunderbird/27.0
MIME-Version: 1.0
To: Mikael Abrahamsson <swmike@swm.pp.se>, Gert Doering <gert@space.net>
References: <1808340F7EC362469DDFFB112B37E2FCDA31A30EB1@SRVHKE02.rdm.cz> <52CFB8D5.70900@gmail.com> <B54D5283-8880-434A-A3C0-9BFF0081E13B@gmail.com> <20140110.124610.74672987.sthaug@nethelp.no> <60C5513D-B8DA-48D6-82D3-53E148F9F7BA@gmail.com> <52D0157D.6040009@foobar.org> <52D039B3.4020402@fud.no> <52D03E04.10207@bogus.com> <20140110184059.GR40453@Space.Net> <alpine.DEB.2.02.1401101942540.20074@uplift.swm.pp.se>
In-Reply-To: <alpine.DEB.2.02.1401101942540.20074@uplift.swm.pp.se>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="1LPF8S5gs55ITHRXIux7nWLcdUAbn6vfC"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (nagasaki.bogus.com [147.28.0.81]); Fri, 10 Jan 2014 19:08:00 +0000 (UTC)
Cc: v6ops@ietf.org, Tore Anderson <tore@fud.no>, Pete Vickers <peter.vickers@gmail.com>
Subject: Re: [v6ops] control and security of DHCP
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 19:08:16 -0000

On 1/10/14, 10:45 AM, Mikael Abrahamsson wrote:
> On Fri, 10 Jan 2014, Gert Doering wrote:
> 
>> Nick's use case is fairly specific.  "If you want to live in my
>> datacenter,
>> these are the rules: do not listen to RA, use DHCPv6".
>>
>> This can be done.
> 
> Yes, but without intelligent inspection of RAs in the L2 network, there
> is basically no way to verify that this actually is the way things are
> configured. There are no RAs for a year, then a misconfiguration causes
> an RA to be emitted and then you find 5% of the machines in the DC
> haven't been configured to ignore RAs, and will now configure themselves
> by listening to this RA message.

Today (baring deliberate action) you'll probably find 100% of them
listening for RAs, which is either great because your deployment is
going to be a lot easier when you get to the edge, a ticking bomb, or both.

Which is at least partly why this is sitting with the RFC editor right now.

https://datatracker.ietf.org/doc/draft-ietf-opsec-ipv6-implications-on-ipv4-nets/

That is clearly not an IPv6 deployment solution.

> This there is an absolute need to inspect traffic in the L2 network and
> thus the whole "I want a way to do this that doesn't suck when I don't
> have this L2 inspection functionality" falls flat imnho.

If you find it necessary to do that for IPv4 I have no doubt that you
will find it necessary for IPv6. There are other approaches, such as
limiting the diameter of the broadcast domain to a point you find
acceptable that might also be appropriate, if not always feasible.

v2.23.0 | Report a Bug | By Email