How to preempt rogue RAs?

Sun Oct 31 11:05:16 CET 2010

On Sat, 30 Oct 2010 16:00:48 -0500
"Frank Bulk - iName.com" <frnkblk at iname.com> wrote:

> I sympathize with the state the ISP is in, but it's generally a better idea
> to fix the underlying problem (shared L2) rather than find
> complicated/obscure/proprietary workarounds.  In fact, this existing IPv6
> brokenness could be the carrot for operations to hang in front of management
> to solve that underlying problem. 
> 

Agree, VLANs are pretty cheap. Their sub-interfaces on the router's
also give you individual per-customer traffic monitoring and policy
enforcement points.

> Frank
> 
> -----Original Message-----
> From: ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de
> [mailto:ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de] On Behalf Of
> Tore Anderson
> Sent: Saturday, October 30, 2010 4:57 AM
> To: ipv6-ops at lists.cluenet.de
> Subject: Re: How to preempt rogue RAs?
> 
> Hi,
> 
> * Gert Doering
> 
> > Some gear can filter out the RAs from sources where they are not 
> > authorized.
> 
> I'm aware of that, but I don't think they're particularly open to
> forklift upgrading their entire access network to deal with this
> problem, or as Mikael suggested, doing drastic changes to their
> topology.  At least not in the sort term...
> 
> The shared access LAN model clearly has its weaknesses, but it's quite
> common and for IPv4 works reasonably well in the absence of malicious
> users.  But for IPv6 it seems overwhelmingly likely that the users
> causing problems are completely oblivious as to what they're doing.
> 
> > (Or someone at Microsoft could wake up, see the light, 
> > and stop ICS from breaking other people's IPv6 connectivity...  like, 
> > for example, only activate this if a) no other RAs are seen, and b) 
> > the user has manually enabled the feature)
> 
> I haven't confirmed 100% that it's Windows ICS that's responsible for
> the RAs.  However some of the broken users ran the ISCI Netalyzr (a
> fantastic tool for getting great debugging info out of non-technical
> users by the way) at my request so I could see which 6to4 addresses they
> had configured and from which IPv4 addresses they were derived, and then
> I could see hits from some of those addresses, which identified
> themselves as Windows 7 (NT 6.1).  But that doesn't rule out the
> presence of a NAT box in between of course.
> 
> I've briefly tried to reproduce the problem with a Windows 7 box I have
> here by turning on ICS on a IPv4-only LAN segment, and while I could see
> it activating the local 6to4 tunnel, it did not start transmitting RAs
> for that prefix.  So I'm not 100% sure if ICS is involved, and if it is,
> exactly how it has to be set up in order for the rogue RAs to show up.
> If somebody knows more in detail how ICS/6to4 operates I'd appreciate
> hearing about it, or if somebody has any suggestions on how it would
> have to be configured in order to break I'll be happy to try it out in
> my lab.
> 
> > There's are a couple of IETF drafts focusing on this problem:
> 
> Thanks.  I was hoping that deploying native IPv6 service would just
> sidestep the problem completely by having the ISPs router announce
> itself as the One True IPv6 Router by setting <ipv6 nd router-preference
> High>.  But it doesn't seem to work.  :-(
> 
> Best regards,
> -- 
> Tore Anderson
> Redpill Linpro AS - http://www.redpill-linpro.com/
> Tel: +47 21 54 41 27
> 