Running IPv6 on a large L2 network
Mohacsi Janos
mohacsi at niif.hu
Sun Sep 14 22:30:31 CEST 2008
On Sun, 14 Sep 2008, Leen Besselink wrote:
> On Tue, Sep 09, 2008 at 11:53:51AM +0100, Tim Chown wrote:
>> On Tue, Sep 09, 2008 at 12:43:04PM +0200, G?ran Weinholt wrote:
>>> weinholt at csbnet.se (G?ran Weinholt) writes:
>>>> In the scenario I posted it doesn't matter if I disconnect the user
>>>> that sent the RA, the network will still be broken for other hosts
>>>> because of the bogus on-link route. To remove the route I might send
>>>> my own RA with the announced prefixes and a very low lifetime, but the
>>>> lowest lifetime allowed according to RFC4862 is two hours (ironically
>>>> changed recently to address a possible DoS...)
>>>
>>> Ok, I did some tests and both Linux and Windows Vista will actually
>>> honor a AdvValidLifetime and AdvPreferredLifetime of zero. So now I
>>> just have to write a program that counteracts bad RAs and everything
>>> should be fine.
>>>
>>> Thanks for the other suggestions in this thread, but if we could
>>> afford to upgrade to a routed network (with one VLAN per customer or
>>> what have you) we would. :)
>>
>> I'm about to do a revision of this draft:
>>
>> http://tools.ietf.org/id/draft-chown-v6ops-rogue-ra-01.txt
>>
>> so any feedback is timely.
>>
>> We also have a modified rafixd that I'll see if we can put up somewhere
>> for people to fetch/use if they wish.
>>
>
> I sometimes read this list when I have time. And that started me thinking and then
> usually things go bad. So tell me if I'm stupid.
>
> What if we, the kind of early adaptors of IPv6 compiled a list of 'possible bad packets'
> and send it to the switch vendors so they can add a filter for them.
>
> I really hate workarounds and yes, I don't mind a workaround when I need it
> 'now, now, now'. But I do want to know the workaround can go away eventually.
>
> I know we'll be buying more switches eventually, updating firmware, removing old, etc.
>
> So why not make life easier ?
>
> I mean if you have an advanced switch it can already look at your IPv4-header
> and prioritize based on TCP/IP port-number and what not.
>
> Also I hear IPv6 has a 'fixed header' to make it easy for route vendors
> to route, but that also means it's easier for switch vendors to filter, right ?
>
> Is there anyone on this list who has good connections with there switch-vendors ?
>
> So, I suggest adding these on the list first:
>
> - RA, a per port setting (or for a very simple switch, just the
> uplink-port ?)
proposal exists for more than a year now. Just vendor has to implement.
http://www.ietf.org/internet-drafts/draft-ietf-v6ops-ra-guard-01.txt
Janos Mohacsi
Network Engineer, Research Associate, Head of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882
More information about the ipv6-ops
mailing list