How to preempt rogue RAs?

George Bonser gbonser at
Sun Oct 31 20:42:35 CET 2010

> From: Tore Anderson 
> Sent: Sunday, October 31, 2010 10:24 AM
> To: Gert Doering
> Cc: George Bonser; ipv6-ops at
> Subject: Re: How to preempt rogue RAs?
> Hi,
> * Gert Doering
> > Maybe it's ICS, but not "Win 7 ICS", but Vista...
> I figured out how to reproduce the problem now.  It appears to be
> present in both Windows 7 and Vista, unfortunately.
> You need a computer with two network interfaces, e.g. a wired and a
> wireless one.  If ICS is active on the wireless interface, and you
> connect to a wired network, the 6to4 prefix derived from the IPv4
> address configured on the wired interface will be announced back on
> wired LAN (in addition to a /64 within fec0::/16).  The wireless
> interface doesn't even have to be active - it seems to be sufficient
> that ICS is enabled on any interface as long as that interface is not
> the upstream one.  This is in my opinion not very well designed,
> hopefully Microsoft can improve it in future patches.

Sounds like there is a case to be made for having an md5 signature
option on RAs so your stuff can be configured to only "believe" your

I can't believe something like that isn't already part of the standard
considering how harmful rogue RAs are and how common the problem is.

More information about the ipv6-ops mailing list