Hi,
On Mon, Apr 23, 2012 at 12:27:53PM -0400, valdis.kletni...@vt.edu wrote:
> On Mon, 23 Apr 2012 11:23:14 -0400, Chuck Anderson said:
> > > On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:
> >> In a lot of cases, enforcing that all address assignments are via DHCP can
> >> still be
On Mon, 23 Apr 2012 11:23:14 -0400, Chuck Anderson said:
> > On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:
>> In a lot of cases, enforcing that all address assignments are via DHCP can
>> still be
>> counter-productive. Especially in IPv6.
> If a specific managed environment provide
On Apr 23, 2012, at 8:23 AM, Chuck Anderson wrote:
> On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:
>>
>> On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
>>
>>> On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
>>>
On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:
>
> On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
>
> > On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
> >> On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
> >>> Particularly good L2 switches also have
> >>> DAI or
On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
> On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
>> On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
>>> Particularly good L2 switches also have
>>> DAI or "IP Source guard" IPv4 functions, which when properly
>>> enabled, can
On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
> On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
> > Particularly good L2 switches also have
> > DAI or "IP Source guard" IPv4 functions, which when properly
> > enabled, can foil certain L2 ARP and IPv4 source address spoofing
On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
> On 4/22/12, Grant Ridder wrote:
>
>> Most switches nowadays have dhcpv4 detection that can be enabled for port
>
> Yes. Many L2 switches have DHCPv4 "Snooping", where some port(s) can
> be so designated as trusted DHCP server ports, for certai
On 4/22/12, Grant Ridder wrote:
> Most switches nowadays have dhcpv4 detection that can be enabled for port
Yes. Many L2 switches have DHCPv4 "Snooping", where some port(s) can
be so designated as trusted DHCP server ports, for certain Virtual
LANs; and dhcp messages can be detected and suppres
Most switches nowadays have dhcpv4 detection that can be enabled for port
ranges. Not sure about v6.
-Grant
On Sun, Apr 22, 2012 at 11:32 PM, Joel jaeggli wrote:
> On 4/17/12 01:37 , Carlos Martinez-Cagnazzo wrote:
> > I don't understand why a problem with a tunnel 'leaves a bad taste with
> >
On 4/17/12 01:37 , Carlos Martinez-Cagnazzo wrote:
> I don't understand why a problem with a tunnel 'leaves a bad taste with
> IPv6'. Since when a badly configured DNS zone left people with a 'bad
> taste for DNS', or a badly configured switch left people with 'a bad
> taste for spanning tree' or '
Thanks for useful reply everyone!
As I mentioned - I applied quick temporary fix by stop broadcast from
router and clearing of routing table on servers. Will apply disabling of
autoconfig now.
On Tue, Apr 17, 2012 at 5:25 PM, Mick O'Rourke wrote:
> RA guard is useful if your tcam capacity and o
RA guard is useful if your tcam capacity and or switching platform allows -
http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-implementation-01
An older yet still a good read from Cisco on some IPv6 first hop security:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_s
tcpdump -e will show source and dest mac address.
On Apr 17, 2012, at 6:54 AM, Ray Soucy wrote:
> tcpdump -ni eth0 'ip6 dst ff02::1'
>
> 06:48:48.044409 IP6 fe80::2d0:1ff:fedf:8400 > ff02::1: ICMP6, router
> advertisement, length 64
You have a rogue IPv6 router on your network. It's not a host problem.
It's along the lines of having a rogue DHCP server on your network but
faster propagation.
It needs to be tracked down and disabled.
You can use tcpdump (as root) to capture IPv6 RA and see who's doing it,
and what's being a
Op 17-4-2012 10:33, Carlos Martinez-Cagnazzo schreef:
IMO it's much easier to disable one rogue than to disable IPv6 on the
whole network. That is if you can find it, but with some proper
tcpdumping and/or CLI commands (depending on the switches that you have)
it should be relatively easy.
Even
I don't understand why a problem with a tunnel 'leaves a bad taste with
IPv6'. Since when a badly configured DNS zone left people with a 'bad
taste for DNS', or a badly configured switch left people with 'a bad
taste for spanning tree' or 'a bad taste for vlan trunking' ?
It seems to me that what
IMO it's much easier to disable one rogue than to disable IPv6 on the
whole network. That is if you can find it, but with some proper
tcpdumping and/or CLI commands (depending on the switches that you have)
it should be relatively easy.
Not to mention that, as pointed by others, this provides a wo
--On 16 april 2012 17.38.07 -0400 Brandon Penglase
wrote:
direction of our security analyst) turn up a DA test server.
Needless to say, everything was horribly slow, and some things even
flat out broke.
To be expected when DNS is given the rôle of routing packets munged by
tunneling
On Mon, 16 Apr 2012 17:38:07 -0400, Brandon Penglase said:
> flat out broke. Sadly this event left a really sour taste for IPv6 with
> Networking department (whom I was occasionally bugging about v6).
Talking point: "If you guys had deployed a proper IPv6 infrastructure, those
tunnels wouldn't ha
I know you mentioned RedHat, but not if it was the router or other
servers. Were you playing with Microsoft's Direct Access and turn on
the dns entry (isatap.domain.com) internally?
At my current place of employment, we had a security student (at the
direction of our security analyst) turn up a DA
Anurag,
You have a rogue RA in your network. Now is just an annoying DoS, but
it can easily be turned in a real security concern.
I suggest to either deploy properly IPv6 or disable it. I am more on
the former, but it is your choice.
Regards
-as
On 16 Apr 2012, at 15:09, Anura
On Mon, 16 Apr 2012 23:39:46 +0530, Anurag Bhatia said:
More a host config issue than a NANOG issue, but what the heck...
> I wonder if anyone else also had similar issues? Also, if my guesses are
> correct then how can we disable Red Hat distro oriented servers from taking
> such automated confi
Hi Anurag,
Op 16 apr 2012, om 20:09 heeft Anurag Bhatia het volgende geschreven:
> Hello everyone
> I wonder if anyone else also had similar issues? Also, if my guesses are
> correct then how can we disable Red Hat distro oriented servers from taking
> such automated configuration - simple DHC
To completely disable ipv6 in Redhat:
1) Modify /etc/modprobe.conf (add)
alias ipv6 off
alias net-pf-10 off
options ipv6 disable=1
2) Modify /etc/sysconfig/network (add)
NETWORKING_IPV6=no
I usually also add
NOZEROCONF=yes
That should completely disable ipv6 in Redhat
24 matches
Mail list logo
