"RA Guard"

Sun Sep 14 21:01:15 CEST 2008

WRT - "RA, a per port setting (or for a very simple switch, just the uplink-port ?)" ... That is a work in progress, look up 'RA Guard'.  :)

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: ipv6-ops-request at lists.cluenet.de

Date: Sun, 14 Sep 2008 12:00:08 
To: <ipv6-ops at lists.cluenet.de>
Subject: ipv6-ops Digest, Vol 42, Issue 5

Send ipv6-ops mailing list submissions to
	ipv6-ops at lists.cluenet.de

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.cluenet.de/mailman/listinfo/ipv6-ops
or, via email, send a message with subject or body 'help' to
	ipv6-ops-request at lists.cluenet.de

You can reach the person managing the list at
	ipv6-ops-owner at lists.cluenet.de

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ipv6-ops digest..."

Today's Topics:

   1. Re: Running IPv6 on a large L2 network (Leen Besselink)

----------------------------------------------------------------------

Message: 1
Date: Sun, 14 Sep 2008 10:14:57 +0200
From: Leen Besselink <ipv6ops at consolejunkie.net>
Subject: Re: Running IPv6 on a large L2 network
To: ipv6-ops at lists.cluenet.de
Message-ID: <20080914081453.GA4344 at home.consolejunkie.net>
Content-Type: text/plain; charset=us-ascii

On Tue, Sep 09, 2008 at 11:53:51AM +0100, Tim Chown wrote:
> On Tue, Sep 09, 2008 at 12:43:04PM +0200, G?ran Weinholt wrote:
> > weinholt at csbnet.se (G?ran Weinholt) writes:
> > > In the scenario I posted it doesn't matter if I disconnect the user
> > > that sent the RA, the network will still be broken for other hosts
> > > because of the bogus on-link route. To remove the route I might send
> > > my own RA with the announced prefixes and a very low lifetime, but the
> > > lowest lifetime allowed according to RFC4862 is two hours (ironically
> > > changed recently to address a possible DoS...)
> > 
> > Ok, I did some tests and both Linux and Windows Vista will actually
> > honor a AdvValidLifetime and AdvPreferredLifetime of zero. So now I
> > just have to write a program that counteracts bad RAs and everything
> > should be fine.
> > 
> > Thanks for the other suggestions in this thread, but if we could
> > afford to upgrade to a routed network (with one VLAN per customer or
> > what have you) we would. :)
> 
> I'm about to do a revision of this draft:
> 
> 	http://tools.ietf.org/id/draft-chown-v6ops-rogue-ra-01.txt
> 
> so any feedback is timely.
> 
> We also have a modified rafixd that I'll see if we can put up somewhere
> for people to fetch/use if they wish.
> 

I sometimes read this list when I have time. And that started me thinking and then
usually things go bad. So tell me if I'm stupid.

What if we, the kind of early adaptors of IPv6 compiled a list of 'possible bad packets'
and send it to the switch vendors so they can add a filter for them.

I really hate workarounds and yes, I don't mind a workaround when I need it
'now, now, now'. But I do want to know the workaround can go away eventually.

I know we'll be buying more switches eventually, updating firmware, removing old, etc.

So why not make life easier ?

I mean if you have an advanced switch it can already look at your IPv4-header
and prioritize based on TCP/IP port-number and what not.

Also I hear IPv6 has a 'fixed header' to make it easy for route vendors
to route, but that also means it's easier for switch vendors to filter, right ?

Is there anyone on this list who has good connections with there switch-vendors ?

So, I suggest adding these on the list first:

- RA, a per port setting (or for a very simple switch, just the uplink-port ?)
- Type 0, Routing header (per port or possible all ports on a very simple switch)

Any other idea's ?

> -- 
> Tim
> 
> 
> 

------------------------------

_______________________________________________
ipv6-ops mailing list
ipv6-ops at lists.cluenet.de
http://lists.cluenet.de/mailman/listinfo/ipv6-ops

End of ipv6-ops Digest, Vol 42, Issue 5
***************************************