DHCPv6 default gateway option?
Tim Peiffer
peiffer at umn.edu
Wed Dec 8 18:14:55 UTC 2010
On 12/8/10 10:32 AM, Simon Hobson wrote:
> Randall C Grimshaw wrote:
>> Wow... I have to ask about the security concerns about this...
>> With dhcp, before dhcp snooping, we would have a lot of problems with
>> rogue dhcp servers giving clients misinformation.
>> Is there any protection against rogue routers in an ipv6 paradigm?
>
> I don't see how there can be - if the client is expected to accept RA
> broadcasts then any old router will screw up the network. SO now you
> will have to check not only for rogue DHCP servers (since they will
> screw up clients too), but rogue routers with RA broadcasts.
>
> I really cannot see how omitting gateways from DHCP for IPv6 is
> helpful in most managed environments.
>
The discussions about IPv6 and RA are drifting out of scope of this DHCP
list. RA is tangentally related to DHCP only in assignment of address
and router in a SLAAC environment. The IPv4 protections for rogue DHCP
server exist at the access layers, and for IPv6 it exists at both the
access layer, and the network layer (both Rogue DHCP server and Rogue RA).
The RA Guard is a known problem, and there are many options in play. I
would suggest that you consult the IPv6 related lists for details. But
in general, the below is how we solved it, or rather our current working
mechanisms.
Regards,
Tim Peiffer
--
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP
+1 612 626-7884 (desk)
! example of IPv6 addressing and RA options controlled by DHCP server.
interface VLAN WWWW
ipv6 address WWWW:WWWW:WWWW:WWWW::1/64
ipv6 nd router-preference High
ipv6 nd other-config-flag
ipv6 dhcp relay destination ZZZZ:ZZZZ:ZZZZ::68
! example of IPv6 addressing assuming SLAAC
interface VLAN YYYY
ipv6 address YYYY:YYYY:YYYY:YYYY::1/64
ipv6 nd router-preference High
! generally access ports have base filtering applied to all ports
interface GigabitEthernetXX/XX/XX
ip access-group Access_IN in
ipv6 traffic-filter Access_IN_v6 in
! the IPv4 filter only clips the dhcp server response
ip access-list extended Access_IN
remark * Standard Rogue DHCP Servers from customers filter *
deny udp any eq bootps any log
permit ip any any
!
! the IPv6 filter clips the dhcp server response as well as icmp
relating to RA.
! This does not work in a shared media environment such as wireless, etc.
ipv6 access-list Access_IN_v6
remark * Standard Rogue RA from customers filter *
deny icmp any any router-advertisement
deny icmp any any router-renumbering
remark * Standard Rogue DHCP Servers from customers filter *
deny udp any eq 547 any
permit ipv6 any any
!
ipv6 access-list NO_GUA_v6
remark * Standard Rogue RA from customers filter *
deny icmp any any router-advertisement
deny icmp any any router-renumbering
remark * Standard Rogue DHCP Servers from customers filter *
deny udp any eq 547 any
remark * Allow LinkLocal *
permit ipv6 FE80::/10 FE80::/10
remark * Deny everything else including GUA *
deny ipv6 any any
More information about the dhcp-users
mailing list