[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Rogue RA WGLC
Hi,
Some comments on <draft-chown-v6ops-rogue-ra-02.txt>.
Bob
----------
A class of solution that is missing from the draft is NAC (Network
Access Control) devices that look for bogus traffic (RAs in this case)
and have the ability to disable or quarantine the device by
controlling the appropriate switch port. This is a hybrid of some of
the methods suggested in the draft.
I think the discussion in the document of using DHCPv6 as a solution
to rogue RA problem overstates the utility of this as a possible
solution as it only moves the problem. DHC has the same class of
problems rogue DHC servers, misconfigured DHC servers, etc., etc. We
haven't seen this as much in DHCPv6, but it's only a matter of time as
it's very common in IPv4. Just ask a university ISP what happens when
the students appear in the fall and plug in their own WLAN AP in the
their dorm room. A zillion rogue DHC servers.
It would be nice to make this clearer in the draft.
I think it would make sense to expand the draft to cover both Rogue
RAs and Rouge DHCPv6 servers as I think we will need solutions for
both protocols and the problems are very similar.
Bob