How to preempt rogue RAs?
Tore Anderson
tore.anderson at redpill-linpro.com
Sat Oct 30 20:31:32 CEST 2010
* Leen Besselink
> Maybe this is a bad idea, but it is one of the few ideas I had.
>
> I don't know the equipment or situation, but do you have a customer per
> switch port ?
>
> If the switch allows it, you could just block IPv6 per switch port based
> on ethernet type.
>
> Block it everywhere for everyone and enable IPv6 for customers that are
> gonna use it.
I don't know if their layer 2 equipment supports such filtering. The
best would of course be if it supports RA Guard or something like it,
but if it doesn't, I think a forklift upgrade to gear that does is out
of the question.
Note that I'm not the ISP here - I'm a content provider that wants to
deploy IPv6 content, and have been for a long time bugging the ISP in
question about 6to4 brokenness originating from their network. I must
admit I feel rather stupid now that they finally deployed IPv6 (perhaps
hoping to shut me up once and for all) and it just made matters worse.
> Or allow it for everyone and play whack a mole and turn it off
> selectively for those users who are causing problems for others.
Yes, that's of course an alternative, albeit not a very enticing one.
It's really tragic if that's the only way to deploy IPv6 on a shared
access LAN.
There's other pieces of software that help with the whack-a-mole game,
too, like rafixd, ramond, and python scapy (someone pointed me to
http://ipv6hawaii.org/?p=143 off-list).
BR,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com
Tel: +47 21 54 41 27
More information about the ipv6-ops
mailing list