How to preempt rogue RAs?
nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org
Sun Oct 31 22:17:29 CET 2010
On Sun, 31 Oct 2010 14:07:28 -0700
"George Bonser" <gbonser at seven.com> wrote:
> > From: Mikael Abrahamsson
> > Sent: Sunday, October 31, 2010 1:49 PM
> > Subject: RE: How to preempt rogue RAs?
> > Yes, it's really bad that this wasn't done a long time ago.
> > It's being done now anyway:
> > <http://ipv6.com/articles/research/Secure-Neighbor-Discovery.htm>
> > --
> > Mikael Abrahamsson email: swmike at swm.pp.se
> And as has been typical with v6, they are apparently overreaching.
> Strong encryption should be an option but there should also be a weak
> option as well that doesn't require as much processor overhead. A
> simple md5 signature doesn't take a lot of processing power and protects
> against the case where someone brings a laptop into the network that
> generates RAs. It won't secure against a determined attack, but most
> cases of rogue RAs aren't the result of a determined attack, they are
> the result of an accident or other unintentional cause.
> The whole history of v6 has been one of making things "perfect" or
> "correct" to the point where people avoid using it. "Useful" trumps
> "correct" almost every time. What will be the cost of all this
> encryption on a busy network?
Encryption is pretty light these days. AES is part of the IEEE LowPAN
wireless standards, and those types of embedded devices are intended to
run for years on batteries. Intel have fairly recently added
instructions to their CPUs specifically for accelerating encryption
Key management is usually more of an issue. I've wondered, but haven't
looked into, whether 802.1x can be used to boot strap IPv6 SEND,
facilitating a simple username/password authentication model that we're
all quite comfortable with.
More information about the ipv6-ops