How to preempt rogue RAs?

Tore Anderson tore.anderson at redpill-linpro.com
Sat Oct 30 11:57:18 CEST 2010


Hi,

* Gert Doering

> Some gear can filter out the RAs from sources where they are not 
> authorized.

I'm aware of that, but I don't think they're particularly open to
forklift upgrading their entire access network to deal with this
problem, or as Mikael suggested, doing drastic changes to their
topology.  At least not in the sort term...

The shared access LAN model clearly has its weaknesses, but it's quite
common and for IPv4 works reasonably well in the absence of malicious
users.  But for IPv6 it seems overwhelmingly likely that the users
causing problems are completely oblivious as to what they're doing.

> (Or someone at Microsoft could wake up, see the light, 
> and stop ICS from breaking other people's IPv6 connectivity...  like, 
> for example, only activate this if a) no other RAs are seen, and b) 
> the user has manually enabled the feature)

I haven't confirmed 100% that it's Windows ICS that's responsible for
the RAs.  However some of the broken users ran the ISCI Netalyzr (a
fantastic tool for getting great debugging info out of non-technical
users by the way) at my request so I could see which 6to4 addresses they
had configured and from which IPv4 addresses they were derived, and then
I could see hits from some of those addresses, which identified
themselves as Windows 7 (NT 6.1).  But that doesn't rule out the
presence of a NAT box in between of course.

I've briefly tried to reproduce the problem with a Windows 7 box I have
here by turning on ICS on a IPv4-only LAN segment, and while I could see
it activating the local 6to4 tunnel, it did not start transmitting RAs
for that prefix.  So I'm not 100% sure if ICS is involved, and if it is,
exactly how it has to be set up in order for the rogue RAs to show up.
If somebody knows more in detail how ICS/6to4 operates I'd appreciate
hearing about it, or if somebody has any suggestions on how it would
have to be configured in order to break I'll be happy to try it out in
my lab.

> There's are a couple of IETF drafts focusing on this problem:

Thanks.  I was hoping that deploying native IPv6 service would just
sidestep the problem completely by having the ISPs router announce
itself as the One True IPv6 Router by setting «ipv6 nd router-preference
High».  But it doesn't seem to work.  :-(

Best regards,
-- 
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
Tel: +47 21 54 41 27


More information about the ipv6-ops mailing list