IPv6 CGA and key (non-)management, was Re: How to preempt rogue RAs?

Gert Doering gert at space.net
Mon Nov 1 15:36:55 CET 2010


On Mon, Nov 01, 2010 at 03:32:32PM +0100, Shane Kerr wrote:
> Also, if we're talking about networks where administrators cannot be
> bothered to filter RA traffic then does it seem likely that they will be
> interested in configuring certificates on their devices? ;)

Umm, well, now that's one of those nasty "the real world" arguments, 
isn't it?

What you can do without having to touch each *end* device is teach the
switches in between the difference between "RA" and "signed RA" (and
as far as I understand, Cisco has running code for that).  So the switch
can determine the validity of an RA and filter/forward it, without having
to manually configure "this port goes to a router" and "this one doesn't".

Gert Doering
        -- NetMaster
did you enable IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20101101/eb2c4b78/attachment.bin 

More information about the ipv6-ops mailing list