[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bogus route announcements on IETF wireless LAN
>>>>> On Wed, 4 Aug 2004 03:01:45 +0200,
>>>>> Simon Leinen <simon@limmat.switch.ch> said:
> If my host implemented RFC 3484, I could probably deprecate all these
> prefixes, but unfortunately it doesn't. So I have to disable
> stateless address autoconfiguration (which is a pain) or use IPv4 :-(
I'm not sure what you mean by "deprecate", but, anyway, RFC3484 cannot
be a perfect solution to this kind of problem, depending on your
destination addresses.
Meanwhile, we've developed an administration tool to invalidate such
bogus routers and prefixes. The tool runs configured with known bogus
prefixes. If it receives an RA containing a bogus prefix, it sends
a "forged" RA spoofing the source address back to the link, in which
- the source IP address is the source of the bogus original RA
- the router lifetime is 0
- the preferred and valid lifetimes are both 0
The 0 router lifetime will remove the router from the default router
list immediately. The 0 preferred lifetime will deprecate (in the
sense of RFC2462) addresses configured from the bogus prefix
immediately.
It's still not a perfect solution, but should be quite effective.
The source code of the tool is available at the following URL:
http://orange.kame.net/dev/cvsweb2.cgi/kame/kame/kame/rafixd/
I'm afraid it doesn't compile on other systems than BSD, but it would
be nice if someone in the IETF network admin could run such a tool.
Disclaimer: as you can easily imagine, the tool could also be used to
cause a DoS attack. But we are always under the risk of this type of
DoS even without this particular tool.
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
jinmei@isl.rdc.toshiba.co.jp