Hello to the list and RA guard evasion technique

[Ben Jencks]

On May 29, 2011, at 6:20 AM, Martin Millnert wrote:

> Hi Marc,
> 
> perhaps I will be the first to say: Welcome!
> 
> On Sun, 2011-05-29 at 11:40 +0200, Marc Heuse wrote:
> <Nice post trimmed for the trees and children>
>> Basically, if just want to prevent accidental RA's on the network, then
>> all the tools and mechanisms are fine.
>> But if you want to prevent attacks, the only secure way is packet
>> reassembling/verification in the switches - and that is not a good idea
>> for performance and availability reasons (RAM, CPU, ...).
> 
> Seems to me that "attack-proof" networks then require either (more)
> expensive switches, and/or compartmentalization of your ports such that
> they share broadcast domains only in such sets where RA attacks are
> allowed to occur between the ports. Attacks obviously modulo where
> physical wired or wireless access is possible, mediated by attackers
> equipment directly, or by takeover of another party's system.
> 
> Your writing further strengthens my personal opinion, which IPv6 has
> made (and continues to make) clear to me, that shared broadcast domains
> should be avoided as much as possible (period). And if you are going to
> spend the money on a switch which can re-assemble packets, you have
> essentially bought a routing switch, and you can then just do it the
> right way. :)

My thoughts are similar. It seems like this attack crosses the cost/benefit line of trying to mitigate individual attacks at the access layer, to the point where if you care about this attack you should just segment broadcast domains.

Another option is simply not to provide technical countermeasures agains this attack -- if the attacker is going to this length to bypass RA guard, then there's no room for plausible deniability, and you can terminate the subscriber on the spot. Only really applicable to ISP-type networks, though.

-Ben