Hello to the list and RA guard evasion technique
martin at millnert.se
Sun May 29 12:20:52 CEST 2011
perhaps I will be the first to say: Welcome!
On Sun, 2011-05-29 at 11:40 +0200, Marc Heuse wrote:
<Nice post trimmed for the trees and children>
> Basically, if just want to prevent accidental RA's on the network, then
> all the tools and mechanisms are fine.
> But if you want to prevent attacks, the only secure way is packet
> reassembling/verification in the switches - and that is not a good idea
> for performance and availability reasons (RAM, CPU, ...).
Seems to me that "attack-proof" networks then require either (more)
expensive switches, and/or compartmentalization of your ports such that
they share broadcast domains only in such sets where RA attacks are
allowed to occur between the ports. Attacks obviously modulo where
physical wired or wireless access is possible, mediated by attackers
equipment directly, or by takeover of another party's system.
Your writing further strengthens my personal opinion, which IPv6 has
made (and continues to make) clear to me, that shared broadcast domains
should be avoided as much as possible (period). And if you are going to
spend the money on a switch which can re-assemble packets, you have
essentially bought a routing switch, and you can then just do it the
right way. :)
More information about the ipv6-ops