On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
On 4/22/12, Grant Ridder shortdudey...@gmail.com wrote:
Most switches nowadays have dhcpv4 detection that can be enabled for port
Yes. Many L2 switches have DHCPv4 Snooping, where some port(s) can
be so designated as trusted DHCP server
On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
Particularly good L2 switches also have
DAI or IP Source guard IPv4 functions, which when properly
enabled, can foil certain L2 ARP and IPv4 source address spoofing
On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
Particularly good L2 switches also have
DAI or IP Source guard IPv4 functions, which when properly
enabled, can foil certain
On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:
On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
Particularly good L2 switches also have
DAI or IP Source guard
On Apr 23, 2012, at 8:23 AM, Chuck Anderson wrote:
On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:
On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
Particularly
On Mon, 23 Apr 2012 11:23:14 -0400, Chuck Anderson said:
On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:
In a lot of cases, enforcing that all address assignments are via DHCP can
still be
counter-productive. Especially in IPv6.
If a specific managed environment provides DHCPv6
Hi,
On Mon, Apr 23, 2012 at 12:27:53PM -0400, valdis.kletni...@vt.edu wrote:
On Mon, 23 Apr 2012 11:23:14 -0400, Chuck Anderson said:
On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote:
In a lot of cases, enforcing that all address assignments are via DHCP can
still be
On 4/17/12 01:37 , Carlos Martinez-Cagnazzo wrote:
I don't understand why a problem with a tunnel 'leaves a bad taste with
IPv6'. Since when a badly configured DNS zone left people with a 'bad
taste for DNS', or a badly configured switch left people with 'a bad
taste for spanning tree' or 'a
Most switches nowadays have dhcpv4 detection that can be enabled for port
ranges. Not sure about v6.
-Grant
On Sun, Apr 22, 2012 at 11:32 PM, Joel jaeggli joe...@bogus.com wrote:
On 4/17/12 01:37 , Carlos Martinez-Cagnazzo wrote:
I don't understand why a problem with a tunnel 'leaves a bad
On 4/22/12, Grant Ridder shortdudey...@gmail.com wrote:
Most switches nowadays have dhcpv4 detection that can be enabled for port
Yes. Many L2 switches have DHCPv4 Snooping, where some port(s) can
be so designated as trusted DHCP server ports, for certain Virtual
LANs; and dhcp messages can be
--On 16 april 2012 17.38.07 -0400 Brandon Penglase
bpenglase-na...@spaceservices.net wrote:
direction of our security analyst) turn up a DA test server.
snip
Needless to say, everything was horribly slow, and some things even
flat out broke.
To be expected when DNS is given the rôle
IMO it's much easier to disable one rogue than to disable IPv6 on the
whole network. That is if you can find it, but with some proper
tcpdumping and/or CLI commands (depending on the switches that you have)
it should be relatively easy.
Not to mention that, as pointed by others, this provides a
I don't understand why a problem with a tunnel 'leaves a bad taste with
IPv6'. Since when a badly configured DNS zone left people with a 'bad
taste for DNS', or a badly configured switch left people with 'a bad
taste for spanning tree' or 'a bad taste for vlan trunking' ?
It seems to me that what
Op 17-4-2012 10:33, Carlos Martinez-Cagnazzo schreef:
IMO it's much easier to disable one rogue than to disable IPv6 on the
whole network. That is if you can find it, but with some proper
tcpdumping and/or CLI commands (depending on the switches that you have)
it should be relatively easy.
You have a rogue IPv6 router on your network. It's not a host problem.
It's along the lines of having a rogue DHCP server on your network but
faster propagation.
It needs to be tracked down and disabled.
You can use tcpdump (as root) to capture IPv6 RA and see who's doing it,
and what's being
tcpdump -e will show source and dest mac address.
On Apr 17, 2012, at 6:54 AM, Ray Soucy r...@maine.edu wrote:
tcpdump -ni eth0 'ip6 dst ff02::1'
06:48:48.044409 IP6 fe80::2d0:1ff:fedf:8400 ff02::1: ICMP6, router
advertisement, length 64
RA guard is useful if your tcam capacity and or switching platform allows -
http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-implementation-01
An older yet still a good read from Cisco on some IPv6 first hop security:
Thanks for useful reply everyone!
As I mentioned - I applied quick temporary fix by stop broadcast from
router and clearing of routing table on servers. Will apply disabling of
autoconfig now.
On Tue, Apr 17, 2012 at 5:25 PM, Mick O'Rourke mkorourke+na...@gmail.comwrote:
RA guard is useful if
Hello everyone
Just got a awfully crazy issue. I heard from our support team about failure
of whois during domain registration. Initially I thought of port 43 TCP
block or something but found it was all ok. Later when ran whois manually
on server via terminal it failed. Found problem that
, April 16, 2012 2:10 PM
To: NANOG Mailing List
Subject: Automatic IPv6 due to broadcast
Hello everyone
Just got a awfully crazy issue. I heard from our support team about
failure of whois during domain registration. Initially I thought of
port 43 TCP block or something but found it was all
On Mon, 16 Apr 2012 23:39:46 +0530, Anurag Bhatia said:
More a host config issue than a NANOG issue, but what the heck...
I wonder if anyone else also had similar issues? Also, if my guesses are
correct then how can we disable Red Hat distro oriented servers from taking
such automated
Anurag,
You have a rogue RA in your network. Now is just an annoying DoS, but
it can easily be turned in a real security concern.
I suggest to either deploy properly IPv6 or disable it. I am more on
the former, but it is your choice.
Regards
-as
On 16 Apr 2012, at 15:09,
I know you mentioned RedHat, but not if it was the router or other
servers. Were you playing with Microsoft's Direct Access and turn on
the dns entry (isatap.domain.com) internally?
At my current place of employment, we had a security student (at the
direction of our security analyst) turn up a DA
On Mon, 16 Apr 2012 17:38:07 -0400, Brandon Penglase said:
flat out broke. Sadly this event left a really sour taste for IPv6 with
Networking department (whom I was occasionally bugging about v6).
Talking point: If you guys had deployed a proper IPv6 infrastructure, those
tunnels wouldn't have
24 matches
Mail list logo