How to preempt rogue RAs?
Gert Doering
gert at space.net
Sat Oct 30 11:03:03 CEST 2010
Hi,
On Sat, Oct 30, 2010 at 10:53:07AM +0200, Tore Anderson wrote:
> If even native IPv6 service doesn't help with limiting the damage done
> by 6to4 I'm at a loss on what to do next. Does anyone have any
> suggestions on how to deal with this problem?
Some gear can filter out the RAs from sources where they are not
authorized. (Or someone at Microsoft could wake up, see the light,
and stop ICS from breaking other people's IPv6 connectivity... like,
for example, only activate this if a) no other RAs are seen, and b)
the user has manually enabled the feature)
There's are a couple of IETF drafts focusing on this problem:
draft-ietf-v6ops-rogue-ra-02.txt
"the problem statement" (plus ideas on mitigation, like L2 ACLs)
draft-ietf-v6ops-ra-guard-08.txt
"how a switch implementation could help fixing this"
Gert Doering
-- NetMaster
--
did you enable IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
More information about the ipv6-ops
mailing list