blocking rogue router advertisements on switches

Gavin McCullagh gavin.mccullagh at gcd.ie
Fri May 6 13:06:27 CEST 2011


Hi Eric,

On Fri, 06 May 2011, Eric Vyncke (evyncke) wrote:

> Using an ACL to block rogue RA is the usual procedure indeed. While I
> cannot really understand (no time...) the semantic of your ACL, if you
> apply an layer-2 ACL blocking Ethernet packets with Ethertype 0x86DD,
> next header = 58 and ICMP type = 136 to ports where there is no router (=
> not on your uplink), then you are 99.99% safe.

On reflection, I had neglected to put in Ethertype 0x86DD, thanks for the 
reminder. :-)

> Of course, an evil attacker could insert any extension header between
> IPv6 header and ICMP defeating your simple ACL but you will block all
> misconfigured PC :-)

Indeed.  Life is getting complicated.

> There are other tools such as RAMOND, NDPMON and others which can also
> help mitigating this attack

I've looked at those alright, though I think directly blocking on the
switch ports is probably preferable for us.

We also found that setting the priority to "high" on our adverts helped.
The misconfigured laptops don't seem to do that thankfully.

Gavin




More information about the ipv6-ops mailing list