DHCPv6 default gateway option?
Randall C Grimshaw
rgrimsha at syr.edu
Wed Dec 8 16:11:55 UTC 2010
Wow... I have to ask about the security concerns about this...
With dhcp, before dhcp snooping, we would have a lot of problems with rogue dhcp servers giving clients misinformation.
Is there any protection against rogue routers in an ipv6 paradigm?
Randy
-----Original Message-----
From: dhcp-users-bounces+rgrimsha=syr.edu at lists.isc.org [mailto:dhcp-users-bounces+rgrimsha=syr.edu at lists.isc.org] On Behalf Of Simon Hobson
Sent: Wednesday, December 08, 2010 5:05 AM
To: Users of ISC DHCP
Subject: Re: DHCPv6 default gateway option?
Tim Gavin wrote:
>I don't understand the RFC process all that well, is it possible to
>build a gateway option into DHCPv6 even though it's not built into
>IPv6 itself?
Yes, but it wouldn't help much. If it's not standard, then clients
won't be supporting it. If clients don't support and act on a routers
option, then configuring it won't configure clients.
You could, for instance, add it to the ISC server and client and it
would work for them - but wouldn't be supported by any other vendors
unless you could get them to agree to include it. The best way to get
universal support is to get the standard updated to make it a
mandatory option for the client to support.
You'd also probably need an option to tell the clients to ignore any
RA advertisements as well.
So it would be essential to get it done properly through an updated
RFC - and I've no idea where to start with that.
I'd also like to see the hardware address/identifier added to the
DHCP packets from the client. So many people have systems set up
around this which is the nearest thing almost all devices have to a
persistent identifier.
Tim Gavin wrote:
> > I think the router is the most natural place to decide about routers.
>
>Wouldn't the DHCP server be the most natural place for that? The
>system that assigns the IP should also assign the rest of the
>connection information? Just like it does now in v4, the DHCP server
>should assign the IP, GW, Mask, DNS, and whatever else the admin needs
>to assign?
That would be my point as well.
I've experience of running a network with multiple routers on a site
and multiple sites. With IPv4 DHCP it's quite simple to configure
clients - you tell them an IP, netmask, and gateway. DHCP takes care
of the client config, the routers take care of routing traffic.
Ah but, I can almost hear people saying, why not let the routers
advertise the routes they can handle traffic for ?
Well, suppose I have two routers that can route to a particular
network ? Yes, that is what I had - but you really don't want traffic
arbitrarily routing over an international ISDN dial backup instead of
the frame relay WAN ! Presumably you can configure routers to
send/not send route advertisements based on certain criteria - but
you are still reliant on clients being well behaved and picking up
changes as required. With HSRP, when something fails, the backup
router takes over the gateway IP & MAC and the clients don't need to
know anything. With RAs, you are reliant on clients picking up that a
route is no longer being advertised AND picking up that a different
one is now available AND acting on that in a timely manner. Based on
my experience in the IPv4 world I'm not confident of that.
Let me give you an example. At work I'm using two linux boxes as
gateway routers, using keepalived (when I've tested it and turned it
on) to switch the gateway IP between them. We had a hardware failure
last week and switched boxes - a week later, in spite of the spare
box not having the gateway IP configured (and not responding to ARP
requests), there is still outbound traffic being sent through the
inactive gateway because some box(es) must still be using stale
cached MAC addresses. It improved somewhat when I had the active box
ping each device, but there is still outbound traffic going via the
backup gateway.
If systems are not even expiring stale MAC addresses - even when they
are getting packets from the gateway address which should be
resetting the ARP cache entry, then what hope is there of them
correctly handling changing routes ?
Another common scenario is when people use policy based routes - ie
different types of traffic follow different routes. For example, you
may have separate links for VoIP and data. This is quite common as
well, and I would definitely not want to trust clients to manage that.
So assuming you still need your routers to handle redirects etc in
order for traffic to go where the admin wants it to go, then you
might as well let the routers handle all the routing and just pass
all your traffic to a default router as we do now.
--
Simon Hobson
Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
dhcp-users mailing list
dhcp-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list