How to preempt rogue RAs?
Fernando Gont
fernando at gont.com.ar
Sun Nov 28 07:50:10 CET 2010
Hi, Tim,
>> My take is that this will fix the "accidental" rogue IPv6 router
>> problem, but not the malicious router IPv6 problem.
>
> How does RA Guard not help with the malicious rogue RA problem?
More about this off-list (but will come back to the list shortly, with
tools, etc.)
>> I'm in the process of crafting some code to actually check the idea I
>> have in mind... and will share afterwards.
>
> Have you looked at ramond (on sourceforge)?
Yes. However, even when I have not actually tried it, my comments would be:
If you get to the point in which RA's can be sent by anybody, sending
RA's with a lifetime of 0 doesn't look like the right way to go. For
instance, RA's with a LIfetime of 0 are yet another DoS vector (to
remove *legitimate* routers from the default router list). Furthermore,
I'd argue that you shouldn't discard routers merely because you've
received an RA with a Lifetime of 0, but rather you should discard them
after checking that the corresponding router is not useful (e.g., your
TCP connections do not make forward progress, etc.)
Thanks!
Kind regards,
--
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
More information about the ipv6-ops
mailing list