Re: IPv6 confusion

2009-03-03 Thread Ralph Droms
Thanks to all who responded with input about why DHCPv6 should have options for default routers and prefix information. We've published a draft defining these options, which will be discussed at the upcoming IETF meeting in San Francisco. A New Internet-Draft is available from the on-li

Re: IPv6 Confusion

2009-02-20 Thread Adrian Chadd
On Thu, Feb 19, 2009, Bob Snyder wrote: > Frank Bulk wrote: > >Considering that the only real IPv6-ready CPE at your favorite N.A. > >electronics store is Apple's AirPort, it seems to me that it will be > >several years before the majority (50% plus 1) of our respective customer > >bases has IPv

Re: IPv6 Confusion

2009-02-19 Thread Randy Bush
> Do you really want to keep state for hundreds of end user devices in > your equipment? > > In my mind, IPv6 more than ever requires the customer to have their > own L3 device (which you delegate a /56 to with DHCPv6-PD). > > Imagine the size of your TCAM needed with antispoofing ACLs and > adja

RE: IPv6 Confusion

2009-02-19 Thread Mikael Abrahamsson
On Thu, 19 Feb 2009, Frank Bulk wrote: I probably tied CPE to NAT together in my mindif I peel NAT out from what these CPE are doing, perhaps a PPPoE/A environment is the only place a L3 CPE will be needed with IPv6 anymore. FTTH, BWA, RFC 1483/RBE, and cable modems can bridge at L2 and e

Re: IPv6 Confusion

2009-02-19 Thread Bob Snyder
Frank Bulk wrote: Considering that the only real IPv6-ready CPE at your favorite N.A. electronics store is Apple's AirPort, it seems to me that it will be several years before the majority (50% plus 1) of our respective customer bases has IPv6-ready or dual-stack equipment. Actually, out of

RE: IPv6 Confusion

2009-02-19 Thread Frank Bulk
own IPv6 address. Frank -Original Message- From: Jack Bates [mailto:jba...@brightok.net] Sent: Thursday, February 19, 2009 7:42 AM To: Frank Bulk Cc: 'Brandon Galbraith'; nanog@nanog.org Subject: Re: IPv6 Confusion Frank Bulk wrote: > Considering that the only real IPv6-read

Re: IPv6 Confusion

2009-02-19 Thread Randy Bush
>> I can't think of a single working group chair/co-chair that's >> ever presented at NANOG and asked for feedback. > Were you at the last NANOG when I did everything but beg for feedback? no i was not but leo's post was simple flatulence randy

Re: IPv6 Confusion

2009-02-19 Thread Randy Bush
>> this is a slight exaggeration. it took me less than five years to get >> rid of NLAs, TLAs, ... wooo wooo! > Those were put in at the insistence of the ops / routing >> community complete and utter bs! randy

RE: IPv6 Confusion

2009-02-19 Thread Tony Hain
christopher.mor...@gmail.com wrote: > >... > > Yes people expect 1:1 functionality, but how many of them are > stepping up to > > how many vendors are implementing willy-nilly v4 feature requests for > their enterprise/isp customers? does it not seem reasonable to look at > each one and say: "Gosh

RE: IPv6 Confusion

2009-02-19 Thread Tony Hain
David Conrad wrote: > Tony, > > On Feb 18, 2009, at 11:13 AM, Tony Hain wrote: > > The bottom line is, if you want something to be defined in a way > > that works for you, you have to participate in the definition. > > Well, yes. But there is an impedance mismatch here. No argument. > > The I

RE: IPv6 Confusion

2009-02-19 Thread Tony Hain
Randy Bush wrote: > > The fact that the *nog community stopped participating in the IETF > has > > resulted in the situation where functionality is missing, because > nobody > > stood up and did the work to make it happen. > > the ops gave up on the ietf because it did no good to participate. so

Re: IPv6 Confusion

2009-02-19 Thread Mohacsi Janos
On Thu, 19 Feb 2009, Christopher Morrow wrote: That is not what the decision said. The point was that the DHCP WG was not going to decide for you what was necessary or appropriate to carry forward. Rather than add baggage that nobody actually uses, there is nothing until someone says 'I need

Re: IPv6 Confusion

2009-02-19 Thread Christopher Morrow
On Wed, Feb 18, 2009 at 5:30 PM, Tony Hain wrote: > Daniel Senie wrote: >> >... >> > No, the decision was to not blindly import all the excess crap from >> IPv4. If >> > anyone has a reason to have a DHCPv6 option, all they need to do is >> specify >> > it. The fact that the *nog community stopped

Re: IPv6 Confusion

2009-02-19 Thread Marshall Eubanks
On Feb 19, 2009, at 10:23 AM, Steven M. Bellovin wrote: On Thu, 19 Feb 2009 10:19:19 -0500 Leo Bicknell wrote: In a message written on Thu, Feb 19, 2009 at 10:01:59AM -0500, Jared Mauch wrote: Would it be insane to have an IETF back-to-back with a NANOG? Probably, but it would be a good

Re: IPv6 Confusion

2009-02-19 Thread Steven M. Bellovin
On Thu, 19 Feb 2009 10:19:19 -0500 Leo Bicknell wrote: > In a message written on Thu, Feb 19, 2009 at 10:01:59AM -0500, Jared > Mauch wrote: > > > > Would it be insane to have an IETF back-to-back with a NANOG? > > > > Probably, but it would be a good idea. :) > > I have no idea how the IETF

Re: IPv6 Confusion

2009-02-19 Thread Sandy Murphy
>Were you at the last NANOG when I did everything but beg for feedback? Maybe I should have been more helpful. Here's the link: http://www.nanog.org/meetings/nanog45/presentations/Wednesday/Murphy_light_sidr_N45.pdf --Sandy

Re: IPv6 Confusion

2009-02-19 Thread Leo Bicknell
In a message written on Thu, Feb 19, 2009 at 10:01:59AM -0500, Jared Mauch wrote: > > Would it be insane to have an IETF back-to-back with a NANOG? > Probably, but it would be a good idea. :) I have no idea how the IETF agenda is set, but that may be part of the trick. I suspect network opera

RE: IPv6 Confusion

2009-02-19 Thread Soucy, Ray
Response inline. -Original Message- From: Carl Rosevear [mailto:carl.rosev...@demandmedia.com] Sent: Tuesday, February 17, 2009 11:59 AM To: nanog@nanog.org Subject: IPv6 Confusion > How does IPv6 addressing work? RFC 2372 is a good starting point. With IPv6 we provide for every

Re: IPv6 Confusion

2009-02-19 Thread Jared Mauch
On Thu, Feb 19, 2009 at 09:56:35AM -0500, Sandy Murphy wrote: > >I can't think of a single > >> working group chair/co-chair that's ever presented at NANOG and asked > >> for feedback. > > Were you at the last NANOG when I did everything but beg for feedback? Would it be insane to have an IETF b

Re: IPv6 Confusion

2009-02-19 Thread Sandy Murphy
>I can't think of a single >> working group chair/co-chair that's ever presented at NANOG and asked >> for feedback. Were you at the last NANOG when I did everything but beg for feedback? --Sandy

Re: IPv6 Confusion

2009-02-19 Thread Tim Chown
On Wed, Feb 18, 2009 at 03:05:43PM -0600, Dale W. Carder wrote: > > On Feb 18, 2009, at 3:00 PM, Nathan Ward wrote: > > > >Is there something like this already that anyone knows of? > > http://tools.ietf.org/id/draft-chown-v6ops-rogue-ra-02.txt There will be an update of this prior to March's IE

Re: IPv6 Confusion

2009-02-19 Thread Jack Bates
Frank Bulk wrote: Considering that the only real IPv6-ready CPE at your favorite N.A. electronics store is Apple's AirPort, it seems to me that it will be several years before the majority (50% plus 1) of our respective customer bases has IPv6-ready or dual-stack equipment. On the other hand,

Re: IPv6 Confusion

2009-02-19 Thread Ralph Droms
Independent of this conversation, there has been some parallel interest in this problem area in the IETF. There is enough interest to suggest writing a draft defining additional options for DHCPv6 to allow "DHCPv6-only" operation. I'm writing as chair of the dhc WG to ask you, the operator

Re: IPv6 Confusion

2009-02-19 Thread David Freedman
> > I think, for example, that Juniper is making a mistake by rolling v6 > capability into a license that also includes BGP and ISIS on some > platforms. Cisco is guilty of this as well. > > I am not necessarily advocating that v6 must be a basic feature on every > new box; but I don't think it

Re: IPv6 Confusion

2009-02-19 Thread Nick Hilliard
On 19/02/2009 07:27, David Conrad wrote: those requirements to be. Unfortunately, that's not what we have. We have network operators in their own little world, trying to keep the network running and protocol developers in their own little world, trying to come up with cool features that will make

RE: IPv6 Confusion (back to technical conversation)

2009-02-19 Thread TJ
>>> I guess you don't use DHCP in IPv4 then. >> No, you seem to think the failure mode is the same, and it is not. >> Let's walk through this: >> 1) 400 people get on the NANOG wireless network. >> 2) Mr 31337 comes along and puts up a rogue DHCP server. >> 3) All 400 people continue working just f

RE: IPv6 Confusion

2009-02-19 Thread Frank Bulk
or dual-stack equipment. Frank -Original Message- From: Brandon Galbraith [mailto:brandon.galbra...@gmail.com] Sent: Tuesday, February 17, 2009 8:28 PM To: Randy Bush Cc: nanog@nanog.org Subject: Re: IPv6 Confusion Sounds like those consumer ISPs better get started on rolling out dua

RE: IPv6 Confusion

2009-02-19 Thread Mikael Abrahamsson
On Thu, 19 Feb 2009, Frank Bulk wrote: The really scary thing is that deploying carrier-grade NAT might be cheaper to the service provider than rolling IPv6 to its residential subscribers. The really scary thing is that in areas where there are only two major ISPs, both might go for CGN and t

RE: IPv6 Confusion

2009-02-19 Thread Frank Bulk
;Carl Rosevear'; nanog@nanog.org Subject: Re: IPv6 Confusion The big iron folks are proposing something called "Carrier Grade NAT". This one REALLY frightens me, but I understand a couple of hardware manufacturers are planning on building such a monster. It might actually work, but

Re: IPv6 Confusion

2009-02-18 Thread Randy Bush
> This may be where Randy Bush derives his "IVTF" label. not exactly. see . > Yes, there have been attempts to bridge the two camps, but I suspect > the only way to really address this is a fundamental shift in the way > the IETF does business, t

Re: IPv6 Confusion

2009-02-18 Thread David Conrad
Tony, On Feb 18, 2009, at 11:13 AM, Tony Hain wrote: The bottom line is, if you want something to be defined in a way that works for you, you have to participate in the definition. Well, yes. But there is an impedance mismatch here. The IETF still seems to operate under the assumption that

Re: IPv6 Confusion

2009-02-18 Thread Mikael Abrahamsson
On Wed, 18 Feb 2009, Justin Shore wrote: Adoption of IPv6 would be better in my opinion if vendors didn't force us to pay a premium to use IPv6. It's hard enough to convince management that there is a need to implement IPv6. It's even harder when you tell them how much it costs. And when th

Re: IPv6 Confusion

2009-02-18 Thread Matthew Moyle-Croft
On 19/02/2009, at 12:27 PM, Nathan Ward wrote: From other discussion with you, your main concern is vendor support for a few things, right? The issue is that the vendors aren't actually sure what to implement because there's a distinct lack of standards as opposed to competing drafts,

Re: IPv6 Confusion

2009-02-18 Thread Merike Kaeo
Opsec wg alsoabout 2 years ago Ross Callon went to most NOGs to solicit input and I suppose now with Joel it'll be ongoing :) - merike On Feb 18, 2009, at 3:00 PM, Steven M. Bellovin wrote: On Wed, 18 Feb 2009 17:40:02 -0500 Leo Bicknell wrote: And let me ask you this question, why do

Re: IPv6 Confusion

2009-02-18 Thread Randy Bush
> I can't think of a single working group chair/co-chair that's ever > presented at NANOG and asked for feedback. i did a number of times. so have others. otoh, all that gets pretty destroyed by a few self-inflated ietf wannabes presenting org charts of the ietf and explaining what the grown-ups

Re: IPv6 Confusion

2009-02-18 Thread Randy Bush
> The fact that the *nog community stopped participating in the IETF has > resulted in the situation where functionality is missing, because nobody > stood up and did the work to make it happen. the ops gave up on the ietf because it did no good to participate. so the choice was spend the time ac

Re: IPv6 Confusion

2009-02-18 Thread Nathan Ward
On 19/02/2009, at 12:37 PM, Matthew Moyle-Croft wrote: On 19/02/2009, at 9:20 AM, Adrian Chadd wrote: Who says the IPv6 solutions need to be better than IPv4? Actually, with IPv6 I'd like _a_ solution that at least is viable and works - it's doesn't have to be the final one, it doesn't

Re: IPv6 Confusion

2009-02-18 Thread Justin Shore
Mikael Abrahamsson wrote: Well, considering how very few vendors actually support IPv6, it's hard to find proper competition. Even the companies who do support IPv6 very well in some products, not all their BUs do on their own products (you know who you are :P ). Even worse is when the BU cha

Re: IPv6 Confusion

2009-02-18 Thread David Barak
If the IPv6 solutions are not going to be 'better' than v4, how about simply making sure that they are 'as good as' ipv4? Right now, I'd be hard pressed to think of a v6 function which is 'better' and I can think of a lot which are 'not as good as.' -David Barak Adrian Chadd wrote: > On Thu,

Re: IPv6 Confusion

2009-02-18 Thread Aria Stewart
On Feb 18, 2009, at 1:53 PM, Leo Bicknell wrote: Try that with an IPv6 router. About 10 ms after you plug into the wrong port out goes an RA, the entire subnet ceases to function, and your phone lights up like a christmas tree. Let me repeat, none of these solutions are secure. The IPv4/D

Re: IPv6 Confusion

2009-02-18 Thread Jack Bates
Adrian Chadd wrote: Who says the IPv6 solutions need to be better than IPv4? I think that IPv6 solutions will automatically be better than IPv4 based on the switch to multicast for handling things. That being said, I haven't seen the normal IPv4 solutions migrated to IPv6 as of yet in the

Re: IPv6 Confusion

2009-02-18 Thread Matthew Moyle-Croft
On 19/02/2009, at 9:20 AM, Adrian Chadd wrote: Who says the IPv6 solutions need to be better than IPv4? Actually, with IPv6 I'd like _a_ solution that at least is viable and works - it's doesn't have to be the final one, it doesn't have to even be as good as IPv4, it just has to be able

Re: IPv6 Confusion

2009-02-18 Thread Marshall Eubanks
On Feb 18, 2009, at 5:57 PM, Joel Jaeggli wrote: Leo Bicknell wrote: I can't think of a single working group chair/co-chair that's ever presented at NANOG and asked for feedback. Then were busy staring at your laptop and not watching the program. If the IETF wants this to be a two way stre

Re: IPv6 Confusion

2009-02-18 Thread Jeff S Wheeler
On Wed, 2009-02-18 at 16:45 -0600, Stephen Sprunk wrote: > I bet the latter is why the US DoD gave up on their hard IPv6 > requirements and now simply mandates that products be "software > upgradeable" to support IPv6... I think you will agree that vendor support for IPv6 has come a long way in t

Re: IPv6 Confusion

2009-02-18 Thread Steven M. Bellovin
On Wed, 18 Feb 2009 17:40:02 -0500 Leo Bicknell wrote: > And let me ask you this question, why do the operators have to go to > the IETF? Many of us have, and tried. I can't think of a single > working group chair/co-chair that's ever presented at NANOG and asked > for feedback. If the IETF wa

Re: IPv6 Confusion

2009-02-18 Thread Joel Jaeggli
Leo Bicknell wrote: > I can't think of a single working > group chair/co-chair that's ever presented at NANOG and asked for > feedback. Then were busy staring at your laptop and not watching the program. > If the IETF wants this to be a two way street actions would > speak louder than words. In

Re: IPv6 Confusion

2009-02-18 Thread Adrian Chadd
On Thu, Feb 19, 2009, Nathan Ward wrote: > Yep. You asked your vendors to support equivalent IPv6 things at the > time though, so when you roll out IPv6 the support is ready, right? > > The point is that these deficiencies exist in IPv4, and I'm not sure > how you would solve them in IPv6 (as

Re: IPv6 Confusion

2009-02-18 Thread Stephen Sprunk
David Conrad wrote: If a vendor sales person indicates they are getting no requests for IPv6 support in their products (which would clearly be false since presumably you are requesting IPv6 support), It's hard to imagine a vendor that is getting _no_ requests for IPv6 support these days; ever

Re: IPv6 Confusion

2009-02-18 Thread Leo Bicknell
In a message written on Wed, Feb 18, 2009 at 02:32:24PM -0800, Tony Hain wrote: > So did you believe him and stop participating? Seriously, the -ONLY- way > the IETF can be effective is for the ops community to provide active > feedback. If you don't provide input, don't be surprised when the outp

Re: IPv6 Confusion

2009-02-18 Thread Nathan Ward
On 19/02/2009, at 11:20 AM, Adrian Chadd wrote: On Thu, Feb 19, 2009, Nathan Ward wrote: So, those people don't use DHCP in IPv4 if this is a concern, so I'm guessing they are not hoping to use DHCPv6 either. Static configuration of IP addressing information and other configuration will work

RE: IPv6 Confusion

2009-02-18 Thread Tony Hain
Leo Bicknell wrote: > ... > The last time I "participated" a working group chair told me "operators > don't know what they are talking about" and went on to say they should > be ignored. So did you believe him and stop participating? Seriously, the -ONLY- way the IETF can be effective is for the

RE: IPv6 Confusion

2009-02-18 Thread Tony Hain
Daniel Senie wrote: > >... > > No, the decision was to not blindly import all the excess crap from > IPv4. If > > anyone has a reason to have a DHCPv6 option, all they need to do is > specify > > it. The fact that the *nog community stopped participating in the > IETF has > > resulted in the situat

Re: IPv6 Confusion

2009-02-18 Thread Michael Dillon
> I have Googled and read RFCs about IPv6 for HOURS. Hours? Is that all? > How does IPv6 addressing work? The best overview that I know of is here: It is mostly summarised from a thread on the NANOG mailing list. Don't assume that an IP

Re: IPv6 Confusion

2009-02-18 Thread John Schnizlein
On 2009Feb18, at 5:11 PM, Leo Bicknell wrote: In a message written on Wed, Feb 18, 2009 at 01:39:57PM -0800, Tony Hain wrote: No, the decision was to not blindly import all the excess crap from IPv4. If anyone has a reason to have a DHCPv6 option, all they need to do is specify it. The fac

Re: IPv6 Confusion

2009-02-18 Thread Adrian Chadd
On Thu, Feb 19, 2009, Nathan Ward wrote: > So, those people don't use DHCP in IPv4 if this is a concern, so I'm > guessing they are not hoping to use DHCPv6 either. > Static configuration of IP addressing information and other > configuration will work just fine for them. > > I wonder, do the

Re: IPv6 Confusion

2009-02-18 Thread Daniel Senie
Tony Hain wrote: > Leo Bicknell wrote: >> ... >> But, when DHCPv6 was developed the "great minds of the world" decided >> less functionality was better. There /IS NO OPTION/ to send a default >> route in DHCPv6, making DHCPv6 fully dependant on RA's being turned on! >> So the IETF and other great

Re: IPv6 Confusion

2009-02-18 Thread Leo Bicknell
In a message written on Wed, Feb 18, 2009 at 01:39:57PM -0800, Tony Hain wrote: > No, the decision was to not blindly import all the excess crap from IPv4. If > anyone has a reason to have a DHCPv6 option, all they need to do is specify > it. The fact that the *nog community stopped participating i

Re: IPv6 Confusion

2009-02-18 Thread Nathan Ward
On 19/02/2009, at 10:07 AM, Leo Bicknell wrote: In a message written on Thu, Feb 19, 2009 at 10:00:48AM +1300, Nathan Ward wrote: The point I am making is that the solution is still the same - filtering in ethernet devices. No. I agree that in some enviornments DHCPv4/DHCPv6/RA filtering ar

Re: IPv6 Confusion

2009-02-18 Thread Nathan Ward
On 19/02/2009, at 9:22 AM, Owen DeLong wrote: There are also a number of security issues available in the "Just trust some unsolicited broadcast about where to send all your network traffic." approach to host bootstrapping that bother some people. So, those people don't use DHCP in IPv4 if

Re: IPv6 Confusion

2009-02-18 Thread Joel Jaeggli
Adrian Chadd wrote: > On Wed, Feb 18, 2009, Tony Hain wrote: > >> No, the decision was to not blindly import all the excess crap from IPv4. If >> anyone has a reason to have a DHCPv6 option, all they need to do is specify >> it. The fact that the *nog community stopped participating in the IETF ha

Re: IPv6 Confusion

2009-02-18 Thread Adrian Chadd
On Wed, Feb 18, 2009, Tony Hain wrote: > No, the decision was to not blindly import all the excess crap from IPv4. If > anyone has a reason to have a DHCPv6 option, all they need to do is specify > it. The fact that the *nog community stopped participating in the IETF has > resulted in the situati

RE: IPv6 Confusion

2009-02-18 Thread Tony Hain
Leo Bicknell wrote: > ... > But, when DHCPv6 was developed the "great minds of the world" decided > less functionality was better. There /IS NO OPTION/ to send a default > route in DHCPv6, making DHCPv6 fully dependant on RA's being turned on! > So the IETF and other great minds have totally remov

RE: IPv6 Confusion

2009-02-18 Thread Tony Hain
Owen DeLong wrote: > ... > If you want SLAAC or RA or whatever, more power to you. Some > installations > do not. They want DHCP equivalent functionality with the same > security model. It is always amusing when people equate DHCP with security... Outside of that, I do agree with you that the

Re: IPv6 Confusion

2009-02-18 Thread Jack Bates
Raymond Dijkxhoorn wrote: Is there something like RA filtering on switches yet, so end users can be filtered? Just like the dhcp stuff thats available on most switches nowdays... ? Its as annoying as fake DHCP servers... Per customer VLAN isolation (common to solve DHCP server issues). You

RE: IPv6 Confusion

2009-02-18 Thread Tony Hain
Justin Shore wrote: > ... > At this point I'm looking at doing 6to4 tunnels far into the future. You can forget that, as CGN will break 6to4. Get used to teredo (miredo), and if that is impeded don't be surprised when IPv6 over SOAP shows up. Tony

Re: IPv6 Confusion

2009-02-18 Thread Leo Bicknell
In a message written on Wed, Feb 18, 2009 at 04:11:40PM -0500, Kevin Loch wrote: > Leo Bicknell wrote: > >It wouldn't be so bad if we could just turn it off. Indeed, in > >part you can. On a static LAN there is no need for RA's. Static > >IP the box, static default route, done and done. > > > >

RE: IPv6 Confusion

2009-02-18 Thread Tony Hain
David Conrad wrote: > Tony, > > On Feb 17, 2009, at 12:17 PM, Tony Hain wrote: > > This being a list of network engineers, there is a strong bias > > toward tools > > that allow explicit management of the network. This is a fine > > position, and > > those tools need to exist. There are others tha

Re: IPv6 Confusion

2009-02-18 Thread Joel Jaeggli
Dale W. Carder wrote: > > On Feb 18, 2009, at 3:00 PM, Nathan Ward wrote: >> On 19/02/2009, at 9:53 AM, Leo Bicknell wrote: >>> >>> Let me repeat, none of these solutions are secure. The IPv4/DHCP model >>> is ROBUST, the RA/DHCPv6 model is NOT. >> >> The point I am making is that the solution is

Re: IPv6 Confusion

2009-02-18 Thread Kevin Loch
Leo Bicknell wrote: It wouldn't be so bad if we could just turn it off. Indeed, in part you can. On a static LAN there is no need for RA's. Static IP the box, static default route, done and done. VRRPv6 however is relevant to static environments and also needs to (optionally) work with RA

Re: IPv6 Confusion

2009-02-18 Thread Leen Besselink
Raymond Dijkxhoorn wrote: > Hi! > Hi, >>> networks with visitors have shown a serious problem with rouge RAs > >> Does that get better with RAs from the good routers turned off? >> >> Aria Stewart >> aredri...@nbtsc.org > > Is there something like RA filtering on switches yet, so end users can

Re: IPv6 Confusion

2009-02-18 Thread Leo Bicknell
In a message written on Thu, Feb 19, 2009 at 10:00:48AM +1300, Nathan Ward wrote: > The point I am making is that the solution is still the same - > filtering in ethernet devices. No. I agree that in some enviornments DHCPv4/DHCPv6/RA filtering are going to be a requirement. If I was running

Re: IPv6 Confusion

2009-02-18 Thread Dale W. Carder
On Feb 18, 2009, at 3:00 PM, Nathan Ward wrote: On 19/02/2009, at 9:53 AM, Leo Bicknell wrote: Let me repeat, none of these solutions are secure. The IPv4/DHCP model is ROBUST, the RA/DHCPv6 model is NOT. The point I am making is that the solution is still the same - filtering in ether

Re: IPv6 Confusion

2009-02-18 Thread Nathan Ward
On 19/02/2009, at 9:53 AM, Leo Bicknell wrote: In a message written on Thu, Feb 19, 2009 at 09:44:38AM +1300, Nathan Ward wrote: I guess you don't use DHCP in IPv4 then. No, you seem to think the failure mode is the same, and it is not. Let's walk through this: 1) 400 people get on the NAN

Re: IPv6 Confusion

2009-02-18 Thread Randy Bush
>> networks with visitors have shown a serious problem with rogue RAs > Does that get better with RAs from the good routers turned off? no, need to turn off listeners in this case the problems in the discovery space are sufficient to be causing a bit of effort to go into painting security on ex p

Re: IPv6 Confusion

2009-02-18 Thread Nathan Ward
On 19/02/2009, at 9:42 AM, sth...@nethelp.no wrote: 2) Some end-node box with a IPv6 stack from "Joe's Software Emporium and Bait-n-Tackle" sees an RA packet, and concludes that since RA and DHCPv6 are mutually exclusive, to ignore any DHCPv6 packets it sees, and hilarity ensues. They are not

Re: IPv6 Confusion

2009-02-18 Thread Leo Bicknell
In a message written on Thu, Feb 19, 2009 at 09:44:38AM +1300, Nathan Ward wrote: > I guess you don't use DHCP in IPv4 then. No, you seem to think the failure mode is the same, and it is not. Let's walk through this: 1) 400 people get on the NANOG wireless network. 2) Mr 31337 comes along and

Re: IPv6 Confusion

2009-02-18 Thread Mikael Abrahamsson
On Thu, 19 Feb 2009, Nathan Ward wrote: It seems there are lots of people who want auto configuration in IPv6 but who clearly do not do this in IPv4. That seems strange, to me. "Everybody" uses DHCP in IPv4, it's just that there is functionality in the equipment we use to make sure it can onl

Re: IPv6 Confusion

2009-02-18 Thread Nathan Ward
On 19/02/2009, at 9:34 AM, Leo Bicknell wrote: Allowing an UNAUTHENTICATED BROADCAST packet to determine where you send your traffic is insane. Rather than moving forward, this is a giantantic step backwards for security and reliability. I guess you don't use DHCP in IPv4 then. It seems th

Re: IPv6 Confusion

2009-02-18 Thread sthaug
> > 2) Some end-node box with a IPv6 stack from "Joe's Software Emporium > > and > > Bait-n-Tackle" sees an RA packet, and concludes that since RA and > > DHCPv6 > > are mutually exclusive, to ignore any DHCPv6 packets it sees, and > > hilarity > > ensues. > > > They are not mutually exclus

Re: IPv6 Confusion

2009-02-18 Thread Michael Thomas
Mikael Abrahamsson wrote: On Tue, 17 Feb 2009, Justin Shore wrote: different vendors, I asked each of them about their IPv6 support and they all unanimously claimed that there was no demand for it from their customers. Well, this is just ignorance or a kind of a lie. There might be few cust

Re: IPv6 Confusion

2009-02-18 Thread Nathan Ward
On 19/02/2009, at 9:15 AM, Randy Bush wrote: What operational reasons are there for working with RA turned off? networks with visitors have shown a serious problem with rouge RAs Networks with visitors have shown a serious problem with rogue DHCP servers. Networks with visitors that use D

Re: IPv6 Confusion

2009-02-18 Thread Leo Bicknell
In a message written on Wed, Feb 18, 2009 at 12:55:19PM -0700, Aria Stewart wrote: > What operational reasons are there for working with RA turned off? Not picking on the original poster, as I have no idea if they would have any personal experience with this or not. There was a kinder, gentl

Re: IPv6 Confusion

2009-02-18 Thread Raymond Dijkxhoorn
Hi! networks with visitors have shown a serious problem with rouge RAs Does that get better with RAs from the good routers turned off? Aria Stewart aredri...@nbtsc.org Is there something like RA filtering on switches yet, so end users can be filtered? Just like the dhcp stuff thats availa

Re: IPv6 Confusion

2009-02-18 Thread Nathan Ward
On 19/02/2009, at 9:17 AM, valdis.kletni...@vt.edu wrote: 2) Some end-node box with a IPv6 stack from "Joe's Software Emporium and Bait-n-Tackle" sees an RA packet, and concludes that since RA and DHCPv6 are mutually exclusive, to ignore any DHCPv6 packets it sees, and hilarity ensues.

Re: IPv6 Confusion

2009-02-18 Thread Nathan Ward
On 19/02/2009, at 9:08 AM, Chuck Anderson wrote: On Wed, Feb 18, 2009 at 12:55:19PM -0700, Aria Stewart wrote: On 18/02/2009 19:39, Kevin Loch wrote: Just how DO we get the message to the IETF that we need all the tools we have in v4 (DHCP, VRRP, etc) to work with RA turned off? What opera

Re: IPv6 Confusion

2009-02-18 Thread Owen DeLong
On Feb 18, 2009, at 11:53 AM, Jack Bates wrote: Kevin Loch wrote: Just how DO we get the message to the IETF that we need all the tools we have in v4 (DHCP, VRRP, etc) to work with RA turned off? You don't, because there isn't really a technical reason for turning off RA. RA is used as a

Re: IPv6 Confusion

2009-02-18 Thread Aria Stewart
On Feb 18, 2009, at 1:15 PM, Randy Bush wrote: What operational reasons are there for working with RA turned off? networks with visitors have shown a serious problem with rouge RAs Does that get better with RAs from the good routers turned off? Aria Stewart aredri...@nbtsc.org smime.

Re: IPv6 Confusion

2009-02-18 Thread Adrian Chadd
On Wed, Feb 18, 2009, Jack Bates wrote: > Kevin Loch wrote: > >Just how DO we get the message to the IETF that we need all the tools we > >have in v4 (DHCP, VRRP, etc) to work with RA turned off? > > You don't, because there isn't really a technical reason for turning off > RA. RA is used as a st

Re: IPv6 Confusion

2009-02-18 Thread Valdis . Kletnieks
On Wed, 18 Feb 2009 12:55:19 MST, Aria Stewart said: > What operational reasons are there for working with RA turned off? If the intent is to feed the just-booted box all its network config via DHCPv6, including the network/netmask/default router, the *last* thing you want is a second box blabbin

Re: IPv6 Confusion

2009-02-18 Thread Randy Bush
> What operational reasons are there for working with RA turned off? networks with visitors have shown a serious problem with rouge RAs randy

Re: IPv6 Confusion

2009-02-18 Thread sthaug
> > Just how DO we get the message to the IETF that we need all the tools we > > have in v4 (DHCP, VRRP, etc) to work with RA turned off? > > You don't, because there isn't really a technical reason for turning off > RA. I'm glad to see that several of the big vendors seem to disagree with you.

Re: IPv6 Confusion

2009-02-18 Thread Chuck Anderson
On Wed, Feb 18, 2009 at 12:55:19PM -0700, Aria Stewart wrote: >> >> On 18/02/2009 19:39, Kevin Loch wrote: >>> Just how DO we get the message to the IETF that we need all the >>> tools we >>> have in v4 (DHCP, VRRP, etc) to work with RA turned off? > > What operational reasons are there for worki

Re: IPv6 Confusion

2009-02-18 Thread Aria Stewart
On 18/02/2009 19:39, Kevin Loch wrote: Just how DO we get the message to the IETF that we need all the tools we have in v4 (DHCP, VRRP, etc) to work with RA turned off? What operational reasons are there for working with RA turned off? Aria Stewart aredri...@nbtsc.org smime.p7s Descrip

Re: IPv6 Confusion

2009-02-18 Thread Jack Bates
Kevin Loch wrote: Just how DO we get the message to the IETF that we need all the tools we have in v4 (DHCP, VRRP, etc) to work with RA turned off? You don't, because there isn't really a technical reason for turning off RA. RA is used as a starting point. It can push you to DHCPv6 or any num

Re: IPv6 Confusion

2009-02-18 Thread John Schnizlein
Humor aside, the only practical answer is to show up at meetings and and on mailing lists and express your technical reasons. There are people there (in addition to me) who want the perspective of network operators. John On 2009Feb18, at 2:45 PM, Nick Hilliard wrote: On 18/02/2009 19:39

Re: IPv6 Confusion

2009-02-18 Thread Nick Hilliard
On 18/02/2009 19:39, Kevin Loch wrote: Just how DO we get the message to the IETF that we need all the tools we have in v4 (DHCP, VRRP, etc) to work with RA turned off? Easy. Disable all ipv4 at ietf meetings and change the address of the DNS server on the LAN every couple of minutes. Eatin

Re: IPv6 Confusion

2009-02-18 Thread Kevin Loch
David Conrad wrote: Yeah. Rants about the IETF should probably be directed elsewhere. Just how DO we get the message to the IETF that we need all the tools we have in v4 (DHCP, VRRP, etc) to work with RA turned off? - Kevin

Re: IPv6 Confusion

2009-02-18 Thread David Conrad
Kevin, On Feb 18, 2009, at 8:19 AM, Kevin Oberman wrote: You don't have to tell the truth to the losing sales folk... :-) Yes, I saw the smiley, but Sigh. Perhaps there needs to be an emoticon for "really joking, really. no, really.". Ethical issues aside, giving incorrect information t

Re: IPv6 Confusion

2009-02-18 Thread Dave Pooser
>> Well, considering how very few vendors actually support IPv6, it's >> hard to find proper competition. > > You don't have to tell the truth to the losing sales folk... : Or you could be truthful and say "we decided to go with the XYZ product, despite the fact that they don't support IPv6; if y

Re: IPv6 Confusion

2009-02-18 Thread Kevin Oberman
> From: David Conrad > Date: Wed, 18 Feb 2009 07:57:12 -1000 > > Mikael, > > On Feb 17, 2009, at 9:18 PM, Mikael Abrahamsson wrote: > >> Suggestion: next time you buy equipment from competing vendors, > >> tell the sales folk from the losing vendors that one deciding > >> factor was (vendor

  1   2   >