Hello Jim,
We were one of the many reporting horror stories some time ago and it did indeed
cripple our DNS service.
Luckily there was a Windows patch which fixed the bug causing Windows hosts to
get caught in a 'loop' and flood the DNS queries at an alarming rate. We also
vastly improved our DNS architecture to handle the potential higher load caused
by the problem.
These issues aside, we are left with the same scenario with v4 and rogue DHCP
which is also enabled with ICS on Windows. We handle v4 DHCP with DHCP snooping
on the Cisco switches and netflow export filters to alert us of any hosts
offering DHCP leases.
For IPv6 we are yet to widely deploy a solution, but I have heard good things
about rafixd (http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/rafixd/). When
placed in a network segment, rafixd will listen for rogue RAs and essentially
'poison' the network segment by advertising the same prefix with a zero
lifetime, causing it to expire on each host. Of course this doesn't remove the
offending host which means there is also some more work to be done.
We had also considered the option of higher preference RAs being sent from our
routers, but that suggests to our users we are offering v6 connectivity to the
whole of campus which we are not yet ready to do.
The idea of using ACLs is something I feel wouldn't fix the problem, as it
doesn't stop users on the same LAN segment from being affected by another
user's mis-configured machine (since we cannot apply layer 3/4 ACLs to a layer
2 port).
Tom Griffin
Data Network Administrator
University of Sheffield
Quoting Jim Jackson <[log in to unmask]>:
> Hi,
>
> We'd heard a few IPv6 related horror stories[1] incriminating ICS on IPv6
> aware Windows XP and Vista, so we've done some testing.
>
> The main problem is that of Rogue Router Advertisements (RAs)
>
> http://tools.ietf.org/html/draft-chown-v6ops-rogue-ra-01
>
> When ICS is enabled (we used a laptop with a wireless and wired interface,
> setting the wireless as the "internet" connection to share), ICS starts to
> advertise itself as a default IPv6 router on the wired network, using a
> 6to4 address and prefix. On our network all the IPv6 hosts stopped using
> the official default route via our Cisco router, and started routing via
> the ICS box. Also all IPv6 hosts picked up a new 6to4 IPv6 address.
>
> Our Cisco 6500 switch also picked up a 6to4 address on that VLAN interface,
> and let the ICS default route take precedence, sending ICMPv6 redirects to
> the ICS box when ever it received a packet to route. It continued doing
> this after the ICS box was turned off and removed from the network,
> necessitating manual intervention to restore normal service.
>
> Our thinking to protect against such software being "accidently" deployed
> are
>
> - to set the official Router Advertisements as high preference (RFC4191),
> when we have a version of Cisco IOS that supports this. The ICS RAs
> appear to have medium preference. Hopefully ipv6 hosts will
> continue to use the official default route.
>
> - setup an ACL on the cisco box to drop incoming RAs from the network,
> hopefully stopping the cisco routing being polluted.
>
> Has anyone any comments or can anyone share any defensive measures they
> have taken to cope with rogue RAs etc.
>
> cheers
> Jim
> Network Development Team
> University of Leeds
>
> [1] one such story involved ICS making huge levels of DNS requests,
> effectively DoS'ing the DNS server. We haven't observed this.
>
|