How to preempt rogue RAs?
Doug Barton
dougb at dougbarton.us
Sat Oct 30 21:53:33 CEST 2010
On 10/30/10 02:05, Gert Doering wrote:
> Hi,
>
> On Sat, Oct 30, 2010 at 11:03:03AM +0200, Gert Doering wrote:
>> Some gear can filter out the RAs from sources where they are not
>> authorized.
>
> ... and in the case of "attachment links to the ISP", the Right Thing
> would probably be to prevent direct communication between the end nodes
> anyway... if it's an ethernet switch, use "private VLANs" with "local
> ARP spoofing" on the router, if it's some sort of ethernet DSLAM, they
> usually have appropriate filtering capability.
>
> This is not only about IPv6 RAs, but if customers can directly see each
> other's L2 frames, lots of interesting attacks are possible.
Big +1 to this. It's definitely a case of "solve the real problem."
As for the cause, there are so many possibilities that efforts spent on
learning the cause(s) and trying to figure out mitigation, and then
communicating that to the customer(s) would eat up all of the ISP's
profits for the year, or more.
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the ipv6-ops
mailing list