How to preempt rogue RAs?

[Mikael Abrahamsson]

On Sun, 31 Oct 2010, Tore Anderson wrote:

> However, shared L2 deployment in IPv4-only networks with rogue RA
> problems is very common, it's certainly not something the ISP in
> question was alone about.

The problem has been known for years. I certainly had it on my top 
priority as one thing that needed to work when looking at IPv4 and IPv6 
deployment the past 10 years.

> I'd like to come up with a solution to the problem I could present to 
> the next network on my list.  However if that includes drastically 
> changing the access model and/or replacing lots of hardware...  Well, 
> it'd be like tilting at windmills I suppose.  I'm not even sure it's at 
> all possible to insulate users from each other in all cases.  How would 
> you do it in a public WiFi network?  (I've heard that even the IETF har 
> problems with rogue RAs on their conference network...  If they can't 
> get it right, who can?)

One needs to select the correct L2 equipment for the job, either be it APs 
or L2 switches. One way of fixing for switches is to do one vlan per 
customer and use rfc3069 style "one customer per vlan but still have 
multiple customer in the same /something". Cisco supports this, Extreme 
Networks does too (at least in their older equipment). Cisco doesn't 
really call it RFC3069 suppoty but it still works (local-proxy-arp, ip 
address unnumbered, specific /32 route to the vlan interface).

> My hope was that deploying native IPv6 would stop the 6to4 rogue RA
> madness.

With the above RFC3069 scenario they could deploy separate IPv6 /64 per 
customer and solve that problem as well.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se