How to preempt rogue RAs?
Gert Doering
gert at space.net
Sat Oct 30 11:05:26 CEST 2010
Hi,
On Sat, Oct 30, 2010 at 11:03:03AM +0200, Gert Doering wrote:
> Some gear can filter out the RAs from sources where they are not
> authorized.
... and in the case of "attachment links to the ISP", the Right Thing
would probably be to prevent direct communication between the end nodes
anyway... if it's an ethernet switch, use "private VLANs" with "local
ARP spoofing" on the router, if it's some sort of ethernet DSLAM, they
usually have appropriate filtering capability.
This is not only about IPv6 RAs, but if customers can directly see each
other's L2 frames, lots of interesting attacks are possible.
Gert Doering
-- NetMaster
--
did you enable IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
More information about the ipv6-ops
mailing list