How to preempt rogue RAs?
tore.anderson at redpill-linpro.com
Sat Oct 30 20:31:32 CEST 2010
* Leen Besselink
> Maybe this is a bad idea, but it is one of the few ideas I had.
> I don't know the equipment or situation, but do you have a customer per
> switch port ?
> If the switch allows it, you could just block IPv6 per switch port based
> on ethernet type.
> Block it everywhere for everyone and enable IPv6 for customers that are
> gonna use it.
I don't know if their layer 2 equipment supports such filtering. The
best would of course be if it supports RA Guard or something like it,
but if it doesn't, I think a forklift upgrade to gear that does is out
of the question.
Note that I'm not the ISP here - I'm a content provider that wants to
deploy IPv6 content, and have been for a long time bugging the ISP in
question about 6to4 brokenness originating from their network. I must
admit I feel rather stupid now that they finally deployed IPv6 (perhaps
hoping to shut me up once and for all) and it just made matters worse.
> Or allow it for everyone and play whack a mole and turn it off
> selectively for those users who are causing problems for others.
Yes, that's of course an alternative, albeit not a very enticing one.
It's really tragic if that's the only way to deploy IPv6 on a shared
There's other pieces of software that help with the whack-a-mole game,
too, like rafixd, ramond, and python scapy (someone pointed me to
Redpill Linpro AS - http://www.redpill-linpro.com
Tel: +47 21 54 41 27
More information about the ipv6-ops