Unwanted RA on LAN

Wed Mar 9 10:29:47 CET 2011

On Wed, 9 Mar 2011 09:31:35 +0100
"Eric Vyncke (evyncke)" <evyncke at cisco.com> wrote:

> Daniel
> 
> You got me :-)
> 
> AFAIK, the normal Cisco/Linksys CPE have a internal switch which is dumb... so cannot do any ACL or even 'punt' ICMPv6 packets to the CPU... All that could possibly do it perhaps (and code is not there AFAIK) block the propagation from a rogue RA from WiFi to the LAN... and even...
> 

These sorts of devices seem to be able to do IGMP/MLD snooping and
corresponding controlled multicast forwarding, so possibly those
mechanisms could be used to prevent unauthorised multicast RAs being
propagated out ports they shouldn't be, rather than being dropped on
the way in. It wouldn't prevent solicited unicast RAs, although I'm
pretty sure they only occur once an end-node has become aware of the
router via previous multicasts.

Regards,
Mark.

> Now, if you are at home with 10 IPv6 hosts, you probably do not need a powerful tool such as RAGuard. E.g., you probably do not inspect DHCPv4 or ARP in the same setting :-)
> 
> -éric
> 
> > -----Original Message-----
> > From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
> > bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Daniel Roesen
> > Sent: mercredi 9 mars 2011 9:28
> > To: ipv6-ops at lists.cluenet.de
> > Subject: Re: Unwanted RA on LAN
> > 
> > On Wed, Mar 09, 2011 at 09:05:26AM +0100, Eric Vyncke (evyncke) wrote:
> > > If using Cisco switches, then you can use an Port ACL or even the RA
> > > guard (both available on most recent switches with the software
> > > release of Summer 2010).
> > 
> > Now that you beat me to it:
> > 
> > What are the chances to get some kind of RA filtering / RA guard in the
> > Cisco/Linksys line of residential CPE routers with built-in switches?
> > 
> > :-)
> > 
> > Best regards,
> > Daniel
> > 
> > --
> > CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0