How to preempt rogue RAs?

George Bonser gbonser at seven.com
Sun Oct 31 22:07:28 CET 2010



> From: Mikael Abrahamsson 
> Sent: Sunday, October 31, 2010 1:49 PM
> Subject: RE: How to preempt rogue RAs?
> 
> 
> Yes, it's really bad that this wasn't done a long time ago.
> 
> It's being done now anyway:
> 
> <http://ipv6.com/articles/research/Secure-Neighbor-Discovery.htm>
> 
> --
> Mikael Abrahamsson    email: swmike at swm.pp.se

And as has been typical with v6, they are apparently overreaching.
Strong encryption should be an option but there should also be a weak
option as well that doesn't require as much processor overhead.  A
simple md5 signature doesn't take a lot of processing power and protects
against the case where someone brings a laptop into the network that
generates RAs. It won't secure against a determined attack, but most
cases of rogue RAs aren't the result of a determined attack, they are
the result of an accident or other unintentional cause.

The whole history of v6 has been one of making things "perfect" or
"correct" to the point where people avoid using it.  "Useful" trumps
"correct" almost every time. What will be the cost of all this
encryption on a busy network?

George




More information about the ipv6-ops mailing list