How to preempt rogue RAs?

Gert Doering gert at space.net
Sat Oct 30 11:03:03 CEST 2010


Hi,

On Sat, Oct 30, 2010 at 10:53:07AM +0200, Tore Anderson wrote:
> If even native IPv6 service doesn't help with limiting the damage done
> by 6to4 I'm at a loss on what to do next.  Does anyone have any
> suggestions on how to deal with this problem?

Some gear can filter out the RAs from sources where they are not 
authorized.  (Or someone at Microsoft could wake up, see the light, 
and stop ICS from breaking other people's IPv6 connectivity...  like, 
for example, only activate this if a) no other RAs are seen, and b) 
the user has manually enabled the feature)

There's are a couple of IETF drafts focusing on this problem:

 draft-ietf-v6ops-rogue-ra-02.txt
    "the problem statement" (plus ideas on mitigation, like L2 ACLs)

 draft-ietf-v6ops-ra-guard-08.txt
    "how a switch implementation could help fixing this"

Gert Doering
        -- NetMaster
-- 
did you enable IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279



More information about the ipv6-ops mailing list