IPv6 CGA and key (non-)management, was Re: How to preempt rogue RAs?
Gert Doering
gert at space.net
Mon Nov 1 15:36:55 CET 2010
Hi,
On Mon, Nov 01, 2010 at 03:32:32PM +0100, Shane Kerr wrote:
> Also, if we're talking about networks where administrators cannot be
> bothered to filter RA traffic then does it seem likely that they will be
> interested in configuring certificates on their devices? ;)
Umm, well, now that's one of those nasty "the real world" arguments,
isn't it?
What you can do without having to touch each *end* device is teach the
switches in between the difference between "RA" and "signed RA" (and
as far as I understand, Cisco has running code for that). So the switch
can determine the validity of an RA and filter/forward it, without having
to manually configure "this port goes to a router" and "this one doesn't".
Gert Doering
-- NetMaster
--
did you enable IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20101101/eb2c4b78/attachment.bin
More information about the ipv6-ops
mailing list