On 22/10/09 16:06 -0400, Chuck Anderson wrote:
On Thu, Oct 22, 2009 at 03:57:40PM -0400, Ray Soucy wrote:
Really. How do we deal with rouge DHCP on the wireless LAN, obviously
this is such a complex issue that we couldn't possibly have a solution
that could be applied to RA.
Rogue DHCP doesn't immedately take down the entire subnet of machines
with existing DHCP leases. It generally only affects new machines
trying to get a lease, or RENEWing machines. The impact of a rogue RA
is to immediately break connectivity for every machine on the subnet.
Differing impacts leads to different risk assessments of which
protocol to use.
That breaks both ways. You could do maintenance in the middle of the night
and break DHCP in unexpected ways (which I've seen happen) and then you
have the problem of manually rebooting (or renewing) all those devices the
next morning when you notice they're not working.
We really just need to bug our vendors to implement Rogue RA
protection for wired and wireless ASAP, wherever we are in our
deployment of IPv6.
VLAN per subscriber fixes this. It's not really appropriate everywhere, but
it's a nice solution for wireless and ISP scenarios.
--
Dan White
