On Wed, May 14, 2003 at 10:56:48AM -0400, Bill Cerveny wrote: > - What is the recommended set-up for Linux servers which are not set-up as > routers? In my opinion, allowing a server to add addresses/routing every > time a router starts advertising rogue addressing blocks is dangerous and > should be avoided. Well, you could configure the machines with static IP addresses and routes. 'sysctl -w net.ipv6.conf.all.accept_ra 0' will disable autoconfiguration of routes. You can then put the static information in /etc/network/interfaces (see interfaces(5)). > -- How is an IPv6 default route added in Debian? /etc/network/interfaces > -- Various resources maintain that adding a default route in Linux is > problematic and should be avoided. Is this still the case in general > and/or with Linux? The default route thing is only an issue on Linux systems configured as routers. Hosts can and usually do have default routes. USAGI Linux kernels do allow default routes on routers. I believe that Linux 2.4.21 and above will also support them, but 2.4.21 hasn't been released yet. > - How does one recover from receiving a router advertisement from a rogue > router without rebooting the Debian Linux system? ifdown <interface> && ifup <interface> as root will remove the autoconfigured IPv6 addresses from <interface>. The problem there is that, unless you're running USAGI, you don't have a way to manually request routes from the routers that *do* exist. You'll have to wait until your router sends an unsolicited RA. You can also manually delete specific addresses from the interface with ifconfig or ip. The routes associated with those addresses will go away, too. > -- Are there any IPv6-specific limitations in the "route" command? You should use the 'ip' command from the iproute package. The route and ifconfig commands are considered deprecated. > -- Are there any lower-level ways of removing IPv6 routes without "route"? You could probably frob something in /proc/sys/net/ipv6/ somewhere, but I don't know what. > - Finally, a general question which perhaps isn't appropriate for this > list, but I'm interested in the scope of the problem. One of the engineers > who introduced a rogue router argued that allowing a router to confuse the > IPv6 network with router advertisements is a major flaw in the protocol. > Is this engineer's statement valid or is protocol just fine and the > implementation broken? I don't really consider myself qualified to comment here. I'm sure the IETF has thought about such issues. Consider searching for the relevant RFCs (RFC 2462, available at ftp://ftp.ipv6.org/pub/rfc/rfc2462.txt, covers stateless autoconfiguration) or asking on ipng@sunroof.eng.sun.com if those don't clarify the issue. noah -- Noah Meyerhans Computer Resource Services, MIT Laboratory for Computer Science
Attachment:
pgpi1vuYXfTpN.pgp
Description: PGP signature