How to preempt rogue RAs?

Doug Barton dougb at
Sat Oct 30 21:53:33 CEST 2010

On 10/30/10 02:05, Gert Doering wrote:
> Hi,
> On Sat, Oct 30, 2010 at 11:03:03AM +0200, Gert Doering wrote:
>> Some gear can filter out the RAs from sources where they are not
>> authorized.
> ... and in the case of "attachment links to the ISP", the Right Thing
> would probably be to prevent direct communication between the end nodes
> anyway...  if it's an ethernet switch, use "private VLANs" with "local
> ARP spoofing" on the router, if it's some sort of ethernet DSLAM, they
> usually have appropriate filtering capability.
> This is not only about IPv6 RAs, but if customers can directly see each
> other's L2 frames, lots of interesting attacks are possible.

Big +1 to this. It's definitely a case of "solve the real problem."

As for the cause, there are so many possibilities that efforts spent on 
learning the cause(s) and trying to figure out mitigation, and then 
communicating that to the customer(s) would eat up all of the ISP's 
profits for the year, or more.



	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)

More information about the ipv6-ops mailing list