How to preempt rogue RAs?
Michael Sinatra
michael at rancid.berkeley.edu
Sat Oct 30 21:13:29 CEST 2010
On 10/30/10 10:50, Tore Anderson wrote:
> * George Bonser
>
>> Did you also have the "routing and remote access" service enabled? That
>> turns the windows box into a router.
>
> Thanks for the suggestion. I tried to turn that on now, but no change
> in behaviour - it doesn't transmit RAs back onto the access LAN.
A quick and dirty solution would be to configure the real ISP routers
that are providing the native IPv6 service to set the RA preference to
"high." (RA preferences can be "low," "medium," and "high"--see RFC
4191.) I have used this feature on "Brand C" routers and it works at
keeping the rogue 6to4 RAs at bay. Because the default for ICS RAs is
"medium," the "high" value announced by the native router will
effectively trump the garbage you're getting from your rogue clients.
Of course, there is still the issue of malicious RAs out there, and I
agree with others that RA-guard is a necessary feature (especially given
complexities of technologies like SEND).
michael
More information about the ipv6-ops
mailing list