How to preempt rogue RAs?

Michael Sinatra michael at
Sat Oct 30 21:13:29 CEST 2010

On 10/30/10 10:50, Tore Anderson wrote:
> * George Bonser
>> Did you also have the "routing and remote access" service enabled?  That
>> turns the windows box into a router.
> Thanks for the suggestion.  I tried to turn that on now, but no change
> in behaviour - it doesn't transmit RAs back onto the access LAN.

A quick and dirty solution would be to configure the real ISP routers 
that are providing the native IPv6 service to set the RA preference to 
"high."  (RA preferences can be "low," "medium," and "high"--see RFC 
4191.)  I have used this feature on "Brand C" routers and it works at 
keeping the rogue 6to4 RAs at bay.  Because the default for ICS RAs is 
"medium," the "high" value announced by the native router will 
effectively trump the garbage you're getting from your rogue clients.

Of course, there is still the issue of malicious RAs out there, and I 
agree with others that RA-guard is a necessary feature (especially given 
complexities of technologies like SEND).


More information about the ipv6-ops mailing list