Re: Thoughts about RA en DHCPv6 in /etc/network/interfaces
>>>>> "chiel" == chiel <chiel@gmx.net> writes:
chiel> On 12/08/2010 08:51 PM, Jay Ford wrote:
>> I agree that most things with a static IPv6 address probably
>> don't also want a SLAAC address, but if you generalize this very
>> much you'll cause trouble for some use scenarios. Basically,
>> don't assume that static implies no SLAAC.
>>
>> RAs have information you want/need, such as the net MTU & the
>> router address, so don't discard the whole RA.
chiel> So sending RA on the server network should be best practice?
chiel> I think that accepting the router address in this scenario
chiel> still makes you vulnerable to mis-configured legitimate- and
chiel> rogue nodes sending RA's, perhaps this also implies for the
chiel> MTU. I believe that static must really mean static. As in, I
chiel> configure all network information myself and don't want any
chiel> influence from outside on this behaviour.
(I guess we agree that one hasn't got any real security against
malicious nodes without something like SEND)
One can become secure against mis-configurations if you can recognize
legitimate RAs from illegitimate ones. In a semi-static configuration,
I'd want to configure:
a) here is the list of prefixes that I want to accept.
b) here is the list of MAC addresses that I will listen to.
I'd still, in the my IPv6 address is static case, want to listen to RAs,
because IPv6 makes it so much easier to have multiple routers on the
same link, and I want to know about them all.
(vs IPv4, with VRRP/CARP or old-school RIP or OSPF...)
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
Reply to: