In a message written on Thu, Oct 22, 2009 at 03:23:13PM -0400, Ray Soucy wrote: > If the argument against RA being used to provide gateway information > is "rogue RA," then announcing gateway information though the use of > DHCPv6 doesn't solve anything. Sure you'll get around rogue RA, but > you'll still have to deal with rogue DHCPv6. So what is gained?
It's a huge difference, and any conference network shows it.
Let's assume 400 people come into a room, get up and working (with
DHCPv4, and IPv6 RA's).
Someone now introduces a rogue IPv4 server. Who breaks? Anyone who
requests a new lease. That is 400 people keep working just fine.
Now, someone introduces a roge RA. Who breaks? All 400 users are
instantly down.
More importantly, there is another class of misconfigured device. I
plugged in a Cisco router to download new code to it on our office
network. It had a DHCP forward statement, and IPv6. It was from
another site.
The DHCP forward didn't work, it pointed to something non-existant that
also was never configured for the local subnet. There was zero chance
of IPv4 interfearance.
The IPv6 network picked up the RA to a router with no routes though, and
so simply plugging in the old router took down the entire office
network.
The operational threats of a DHCP based network and a RA based network
are quite different. Try it on your own network.
--
Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
pgptlutTow2Rl.pgp
Description: PGP signature
