DHCPv6 default gateway option?

Tim Peiffer peiffer at umn.edu
Wed Dec 8 18:14:55 UTC 2010 

On 12/8/10 10:32 AM, Simon Hobson wrote:
> Randall C Grimshaw wrote:
>> Wow... I have to ask about the security concerns about this...
>> With dhcp, before dhcp snooping, we would have a lot of problems with 
>> rogue dhcp servers giving clients misinformation.
>> Is there any protection against rogue routers in an ipv6 paradigm?
>
> I don't see how there can be - if the client is expected to accept RA 
> broadcasts then any old router will screw up the network. SO now you 
> will have to check not only for rogue DHCP servers (since they will 
> screw up clients too), but rogue routers with RA broadcasts.
>
> I really cannot see how omitting gateways from DHCP for IPv6 is 
> helpful in most managed environments.
>
The discussions about IPv6 and RA are drifting out of scope of this DHCP 
list.  RA is tangentally related to DHCP only in assignment of address 
and router in a SLAAC environment.  The IPv4 protections for rogue DHCP 
server exist at the access layers, and for IPv6 it exists at both the 
access layer, and the network layer (both Rogue DHCP server and Rogue RA).

The RA Guard is a known problem, and there are many options in play.  I 
would suggest that you consult the IPv6 related lists for details.  But 
in general, the below is how we solved it, or rather our current working 
mechanisms.

Regards,
Tim Peiffer

-- 
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP

+1 612 626-7884 (desk)



! example of IPv6 addressing and RA options controlled by DHCP server.
interface VLAN WWWW
  ipv6 address WWWW:WWWW:WWWW:WWWW::1/64
  ipv6 nd router-preference High
  ipv6 nd other-config-flag
  ipv6 dhcp relay destination ZZZZ:ZZZZ:ZZZZ::68

! example of IPv6 addressing assuming SLAAC
interface VLAN YYYY
  ipv6 address YYYY:YYYY:YYYY:YYYY::1/64
  ipv6 nd router-preference High

! generally access ports have base filtering applied to all ports
interface GigabitEthernetXX/XX/XX
  ip access-group Access_IN in
  ipv6 traffic-filter Access_IN_v6 in

! the IPv4 filter only clips the dhcp server response
ip access-list extended Access_IN
  remark * Standard Rogue DHCP Servers from customers filter *
  deny   udp any eq bootps any log
  permit ip any any
!
! the IPv6 filter clips the dhcp server response as well as icmp 
relating to RA.
! This does not work in a shared media environment such as wireless, etc.
ipv6 access-list Access_IN_v6
  remark * Standard Rogue RA from customers filter *
  deny icmp any any router-advertisement
  deny icmp any any router-renumbering
  remark * Standard Rogue DHCP Servers from customers filter *
  deny udp any eq 547 any
  permit ipv6 any any
!
ipv6 access-list NO_GUA_v6
  remark * Standard Rogue RA from customers filter *
  deny icmp any any router-advertisement
  deny icmp any any router-renumbering
  remark * Standard Rogue DHCP Servers from customers filter *
  deny udp any eq 547 any
  remark * Allow LinkLocal *
  permit ipv6 FE80::/10 FE80::/10
  remark * Deny everything else including GUA *
  deny ipv6 any any

More information about the dhcp-users mailing list