[c-nsp] IPv6 experience on DSBU switches

Alexander Clouter alex at digriz.org.uk
Wed Aug 26 09:52:25 EDT 2009


Hi,

* Gert Doering <gert at greenie.muc.de> [2009-08-26 14:09:25+0200]:
>
> On Wed, Aug 26, 2009 at 10:54:32AM +0100, Alexander Clouter wrote:
> > The sad part is that no one can get the in production experience of IPv6 
> > because the vendors do not support it.  You generally have to make do 
> > with what you can and use Linux as 'duct-tape' for the bits that are 
> > lacking...
> 
> Oh, well, it's not *so* bad.  
> 
> Some things are lacking, but the conclusion "the box cannot do radius 
> over IPv6 transport" == "not ready for production IPv6 deployment" is 
> not something I can agree to.
>
Exaggerated definitely[1] but when Cisco's only answer for you to assign 
IP's (accountably) is to use DHCPv6 it's a bit of a crappy welcoming 
mat; not many DHCPv6 servers out there and defeats a lot of IPv6 
benefits (especially now that RFC 5006 is 'here').
 
> I expect that we'll have to run IPv4 in parallel for a few more years,
> and if some parts of the device management functionality is not available 
> over IPv6 today, it won't stop us from offering IPv6 internet services...
> 
Very true, probably for the next 20 or more.

> > Wait till you stumble on the lack of an 'ND proxy' or 'RA guard' :)
> 
> Tell your account teams that you want it, and won't buy new hardware
> unless they deliver...
>
Problem is in the Real World(tm) when the 'other' vendors also don't 
offer much needed functionality you have to make compromises and your 
threats become empty.  :-/

Cisco is good at L2 stuff, it seems when they look much about L3 they 
start being a pain; probably the issues are just more easily solved for 
me with a pile of battered Linux boxes[2].
 
> OTOH - Cisco has working prototypes of SeND, while no other (!) operating
> system out there supports it.  So where's the Linux duct-tape when you
> need it...?
> 
Apparently Cisco has some IPv6 stuff in the works I am told, but the 
people telling me are all NDA'd to hell and back and cannot tell me 
anything....'great, handy info'!

Unsure why I would want to cryptographically sign my ND's, we do not 
control the workstations that plus into our network and I'm not dishing 
out client side certificates for everyone :)

For the IPv4 world I have 'ARP inspection' and 'DHCP snooping' to stop 
people doing stupid things[4], in the v6 world it seems I have to use 
802.1x and Linux duct-tape.  All I want is something similar in the v6 
world, but it needs to support SLAAC (with privacy extensions) and 
multiple addresses per host...QoS throttling and 'ND inspection' would 
give a 99% solution this without the whole load of IPsec dumped upon us.  
Without this, we pretty much are still stuck in the mindset of IPv4 when 
deploying our IPv6 services.

Accepting that 'crap' is going to happen on your network whatever you do 
to try and stop it seems to have been a pointless endeavour for years. 
Having a good audit trail and event driven monitoring/alerting has been 
far more helpful for *us* (plus better use of our time deploying because 
of it's other non-security related benefits) and means we do not have to 
plug *every* hole in our network when we come to the finding out what 
happened and the lessons learned phase of an incident.

Then, I'm only starting out in the v6 world...from an early start I do 
know that Cisco is not making my life any easier and until recently I 
had to pay a premium to even *look* at v6 on a 3750.

Just my £0.02...keep the change ;)

Cheers

[1] well, their WLC 4400's (and it seems the 5500's) cannot do any L3 v6 
	stuff which means we cannot deploy it accountably on our 
	wireless network
[2] I'm still coming to terms with a 3750 being unable to shift more 
	than 20Mbit's of IPIP/GRE tunnel[3] action as it's all done in 
	software.
[3] hmmm, and in SXI3 their 6509's still suck with multicast over IPIP 
	tunnels forcing you to use GRE tunnels :-/
[4] the *majority* of problems on the network here are not from 
	attackers but

-- 
Alexander Clouter
.sigmonster says: Edited for television.


More information about the cisco-nsp mailing list