[c-nsp] IPv6 experience on DSBU switches
Alexander Clouter
alex at digriz.org.uk
Wed Aug 26 09:52:25 EDT 2009
Hi,
* Gert Doering <gert at greenie.muc.de> [2009-08-26 14:09:25+0200]:
>
> On Wed, Aug 26, 2009 at 10:54:32AM +0100, Alexander Clouter wrote:
> > The sad part is that no one can get the in production experience of IPv6
> > because the vendors do not support it. You generally have to make do
> > with what you can and use Linux as 'duct-tape' for the bits that are
> > lacking...
>
> Oh, well, it's not *so* bad.
>
> Some things are lacking, but the conclusion "the box cannot do radius
> over IPv6 transport" == "not ready for production IPv6 deployment" is
> not something I can agree to.
>
Exaggerated definitely[1] but when Cisco's only answer for you to assign
IP's (accountably) is to use DHCPv6 it's a bit of a crappy welcoming
mat; not many DHCPv6 servers out there and defeats a lot of IPv6
benefits (especially now that RFC 5006 is 'here').
> I expect that we'll have to run IPv4 in parallel for a few more years,
> and if some parts of the device management functionality is not available
> over IPv6 today, it won't stop us from offering IPv6 internet services...
>
Very true, probably for the next 20 or more.
> > Wait till you stumble on the lack of an 'ND proxy' or 'RA guard' :)
>
> Tell your account teams that you want it, and won't buy new hardware
> unless they deliver...
>
Problem is in the Real World(tm) when the 'other' vendors also don't
offer much needed functionality you have to make compromises and your
threats become empty. :-/
Cisco is good at L2 stuff, it seems when they look much about L3 they
start being a pain; probably the issues are just more easily solved for
me with a pile of battered Linux boxes[2].
> OTOH - Cisco has working prototypes of SeND, while no other (!) operating
> system out there supports it. So where's the Linux duct-tape when you
> need it...?
>
Apparently Cisco has some IPv6 stuff in the works I am told, but the
people telling me are all NDA'd to hell and back and cannot tell me
anything....'great, handy info'!
Unsure why I would want to cryptographically sign my ND's, we do not
control the workstations that plus into our network and I'm not dishing
out client side certificates for everyone :)
For the IPv4 world I have 'ARP inspection' and 'DHCP snooping' to stop
people doing stupid things[4], in the v6 world it seems I have to use
802.1x and Linux duct-tape. All I want is something similar in the v6
world, but it needs to support SLAAC (with privacy extensions) and
multiple addresses per host...QoS throttling and 'ND inspection' would
give a 99% solution this without the whole load of IPsec dumped upon us.
Without this, we pretty much are still stuck in the mindset of IPv4 when
deploying our IPv6 services.
Accepting that 'crap' is going to happen on your network whatever you do
to try and stop it seems to have been a pointless endeavour for years.
Having a good audit trail and event driven monitoring/alerting has been
far more helpful for *us* (plus better use of our time deploying because
of it's other non-security related benefits) and means we do not have to
plug *every* hole in our network when we come to the finding out what
happened and the lessons learned phase of an incident.
Then, I'm only starting out in the v6 world...from an early start I do
know that Cisco is not making my life any easier and until recently I
had to pay a premium to even *look* at v6 on a 3750.
Just my £0.02...keep the change ;)
Cheers
[1] well, their WLC 4400's (and it seems the 5500's) cannot do any L3 v6
stuff which means we cannot deploy it accountably on our
wireless network
[2] I'm still coming to terms with a 3750 being unable to shift more
than 20Mbit's of IPIP/GRE tunnel[3] action as it's all done in
software.
[3] hmmm, and in SXI3 their 6509's still suck with multicast over IPIP
tunnels forcing you to use GRE tunnels :-/
[4] the *majority* of problems on the network here are not from
attackers but
--
Alexander Clouter
.sigmonster says: Edited for television.
More information about the cisco-nsp
mailing list