How to preempt rogue RAs?
George Bonser
gbonser at seven.com
Sun Oct 31 20:42:35 CET 2010
> From: Tore Anderson
> Sent: Sunday, October 31, 2010 10:24 AM
> To: Gert Doering
> Cc: George Bonser; ipv6-ops at lists.cluenet.de
> Subject: Re: How to preempt rogue RAs?
>
> Hi,
>
> * Gert Doering
>
> > Maybe it's ICS, but not "Win 7 ICS", but Vista...
>
> I figured out how to reproduce the problem now. It appears to be
> present in both Windows 7 and Vista, unfortunately.
>
> You need a computer with two network interfaces, e.g. a wired and a
> wireless one. If ICS is active on the wireless interface, and you
> connect to a wired network, the 6to4 prefix derived from the IPv4
> address configured on the wired interface will be announced back on
the
> wired LAN (in addition to a /64 within fec0::/16). The wireless
> interface doesn't even have to be active - it seems to be sufficient
> that ICS is enabled on any interface as long as that interface is not
> the upstream one. This is in my opinion not very well designed,
> hopefully Microsoft can improve it in future patches.
Sounds like there is a case to be made for having an md5 signature
option on RAs so your stuff can be configured to only "believe" your
RAs.
I can't believe something like that isn't already part of the standard
considering how harmful rogue RAs are and how common the problem is.
More information about the ipv6-ops
mailing list