How to preempt rogue RAs?
tore.anderson at redpill-linpro.com
Fri Dec 10 08:58:15 CET 2010
* Eric Vyncke (evyncke)
> On WLAN (conference), the easiest way to fight the rogue-RA is simple
> to configure AP/WLC to prevent direct client to client
> On LAN, this behavior can also be done by enabling private VLAN (or
> whatever similar feature on another brand).
> Both techniques have an obvious impact such as preventing bonjour
> (and many other things notably DAD :-( ) to work or direct PC/PC
> communication. Proxy-ARP helps for IPv4 but, AFAIK, my employer's
> routers do not have proxy-NDP yet.
> But, the best way (assuming 'C brand' as someone named them :-)
> except Cat 2K) is to use the new PACL (Port ACL)
> Else, sending the real RA with high priority and a short re-transmit
> time could also help.
> Else, NDPMON is usually pretty good as well.
> Note: how does this ISP fight rogue DHCPv4 server?
Hi Éric, and thanks for your suggestions. The network in question is a
campus-type wired LAN with Cat2k Cisco switches, so the PACL method of
solving it was unavailable.
However they've got it under control now. Basically what they do is to
listen for rogue RAs with ramond and shoot them down immediately, and
also automatically move the end user to an isolated VLAN where the only
thing he can access is a captive portal that gives instructions on how
to disable ICS and/or get in touch with the help desk. It's really sad
that it's necessary to do that, I think, but at least it works.
A couple of days ago they got the last remaining issues fixed, which is
clearly visible in my graphs at http://fud.no/ipv6/ - brokenness dropped
sharply and the use of IPv6 went up.
I don't know if they have a problem with rogue DHCPv4 servers. Perhaps
there's no commonly found software that will activate a DHCPv4 server
without the user being malicious or even aware of the fact that he's
creating a problem, which unfortunately is the case with Windows ICS and
Redpill Linpro AS - http://www.redpill-linpro.com
Tel: +47 21 54 41 27
More information about the ipv6-ops