DHCPv6 default gateway option?

Randall C Grimshaw rgrimsha at syr.edu
Wed Dec 8 16:11:55 UTC 2010 

Wow... I have to ask about the security concerns about this...
With dhcp, before dhcp snooping, we would have a lot of problems with rogue dhcp servers giving clients misinformation.
Is there any protection against rogue routers in an ipv6 paradigm?
Randy

-----Original Message-----
From: dhcp-users-bounces+rgrimsha=syr.edu at lists.isc.org [mailto:dhcp-users-bounces+rgrimsha=syr.edu at lists.isc.org] On Behalf Of Simon Hobson
Sent: Wednesday, December 08, 2010 5:05 AM
To: Users of ISC DHCP
Subject: Re: DHCPv6 default gateway option?

Tim Gavin wrote:

>I don't understand the RFC process all that well, is it possible to
>build a gateway option into DHCPv6 even though it's not built into
>IPv6 itself?

Yes, but it wouldn't help much. If it's not standard, then clients 
won't be supporting it. If clients don't support and act on a routers 
option, then configuring it won't configure clients.

You could, for instance, add it to the ISC server and client and it 
would work for them - but wouldn't be supported by any other vendors 
unless you could get them to agree to include it. The best way to get 
universal support is to get the standard updated to make it a 
mandatory option for the client to support.
You'd also probably need an option to tell the clients to ignore any 
RA advertisements as well.

So it would be essential to get it done properly through an updated 
RFC - and I've no idea where to start with that.

I'd also like to see the hardware address/identifier added to the 
DHCP packets from the client. So many people have systems set up 
around this which is the nearest thing almost all devices have to a 
persistent identifier.


Tim Gavin wrote:

>  > I think the router is the most natural place to decide about routers.
>
>Wouldn't the DHCP server be the most natural place for that?  The
>system that assigns the IP should also assign the rest of the
>connection information?  Just like it does now in v4, the DHCP server
>should assign the IP, GW, Mask, DNS, and whatever else the admin needs
>to assign?

That would be my point as well.
I've experience of running a network with multiple routers on a site 
and multiple sites. With IPv4 DHCP it's quite simple to configure 
clients - you tell them an IP, netmask, and gateway. DHCP takes care 
of the client config, the routers take care of routing traffic.

Ah but, I can almost hear people saying, why not let the routers 
advertise the routes they can handle traffic for ?
Well, suppose I have two routers that can route to a particular 
network ? Yes, that is what I had - but you really don't want traffic 
arbitrarily routing over an international ISDN dial backup instead of 
the frame relay WAN ! Presumably you can configure routers to 
send/not send route advertisements based on certain criteria - but 
you are still reliant on clients being well behaved and picking up 
changes as required. With HSRP, when something fails, the backup 
router takes over the gateway IP & MAC and the clients don't need to 
know anything. With RAs, you are reliant on clients picking up that a 
route is no longer being advertised AND picking up that a different 
one is now available AND acting on that in a timely manner. Based on 
my experience in the IPv4 world I'm not confident of that.

Let me give you an example. At work I'm using two linux boxes as 
gateway routers, using keepalived (when I've tested it and turned it 
on) to switch the gateway IP between them. We had a hardware failure 
last week and switched boxes - a week later, in spite of the spare 
box not having the gateway IP configured (and not responding to ARP 
requests), there is still outbound traffic being sent through the 
inactive gateway because some box(es) must still be using stale 
cached MAC addresses. It improved somewhat when I had the active box 
ping each device, but there is still outbound traffic going via the 
backup gateway.

If systems are not even expiring stale MAC addresses - even when they 
are getting packets from the gateway address which should be 
resetting the ARP cache entry, then what hope is there of them 
correctly handling changing routes ?


Another common scenario is when people use policy based routes - ie 
different types of traffic follow different routes. For example, you 
may have separate links for VoIP and data. This is quite common as 
well, and I would definitely not want to trust clients to manage that.
So assuming you still need your routers to handle redirects etc in 
order for traffic to go where the admin wants it to go, then you 
might as well let the routers handle all the routing and just pass 
all your traffic to a default router as we do now.



-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
dhcp-users mailing list
dhcp-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users

More information about the dhcp-users mailing list