[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rogue RA WGLC



Hi,

Some comments on <draft-chown-v6ops-rogue-ra-02.txt>.

Bob

----------

A class of solution that is missing from the draft is NAC (Network Access Control) devices that look for bogus traffic (RAs in this case) and have the ability to disable or quarantine the device by controlling the appropriate switch port. This is a hybrid of some of the methods suggested in the draft.

I think the discussion in the document of using DHCPv6 as a solution to rogue RA problem overstates the utility of this as a possible solution as it only moves the problem. DHC has the same class of problems rogue DHC servers, misconfigured DHC servers, etc., etc. We haven't seen this as much in DHCPv6, but it's only a matter of time as it's very common in IPv4. Just ask a university ISP what happens when the students appear in the fall and plug in their own WLAN AP in the their dorm room. A zillion rogue DHC servers.

It would be nice to make this clearer in the draft.

I think it would make sense to expand the draft to cover both Rogue RAs and Rouge DHCPv6 servers as I think we will need solutions for both protocols and the problems are very similar.

Bob