How to preempt rogue RAs?

Tore Anderson tore.anderson at
Sat Oct 30 20:31:32 CEST 2010

* Leen Besselink

> Maybe this is a bad idea, but it is one of the few ideas I had.
> I don't know the equipment or situation, but do you have a customer per
> switch port ?
> If the switch allows it, you could just block IPv6 per switch port based
> on ethernet type.
> Block it everywhere for everyone and enable IPv6 for customers that are
> gonna use it.

I don't know if their layer 2 equipment supports such filtering.  The
best would of course be if it supports RA Guard or something like it,
but if it doesn't, I think a forklift upgrade to gear that does is out
of the question.

Note that I'm not the ISP here - I'm a content provider that wants to
deploy IPv6 content, and have been for a long time bugging the ISP in
question about 6to4 brokenness originating from their network.  I must
admit I feel rather stupid now that they finally deployed IPv6 (perhaps
hoping to shut me up once and for all) and it just made matters worse.

> Or allow it for everyone and play whack a mole and turn it off
> selectively for those users who are causing problems for others.

Yes, that's of course an alternative, albeit not a very enticing one.
It's really tragic if that's the only way to deploy IPv6 on a shared
access LAN.

There's other pieces of software that help with the whack-a-mole game,
too, like rafixd, ramond, and python scapy (someone pointed me to off-list).

Tore Anderson
Redpill Linpro AS -
Tel: +47 21 54 41 27

More information about the ipv6-ops mailing list