[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Operational comments on RAs vs DHC

To: Tim Chown <tjc@ecs.soton.ac.uk>
Subject: Re: Operational comments on RAs vs DHC
From: Mohacsi Janos <mohacsi@niif.hu>
Date: Mon, 19 Mar 2007 19:00:31 +0100 (CET)
Cc: v6ops@ops.ietf.org
In-reply-to: <20070319154235.GF27293@login.ecs.soton.ac.uk>
References: <20070319154235.GF27293@login.ecs.soton.ac.uk>




On Mon, 19 Mar 2007, Tim Chown wrote:

Hi,

Please don't shoot the messenger, but there was one v6ops related topic I
was hoping to bring up this morning but for which I wasn't able to prepare
some discussion slides.

The mail about 'rogue' Router Advertisements at the IETF reminded me.

A number of administrators that I know of deploying IPv6 (dual-stack) have
commented on a common problem, specifically the problem of handling 'rogue'
RAs in their networks.   This includes one admin at our site.

We typically see the problem in our wireless networks, where perhaps a
user brings in a laptop that's set to be a 6to4 router at home, but shouldn't
be one on our wireless.   But we also have seen it where an admin makes
a config error typically in a VLAN config and one or more RAs leak to
additional subnets/links.   Use of VLANs seems to be rising, and mistakes
maybe more common.

The general problem is how to control the rogue RA, and/or to recover from
a misconfigured state should that arise.   One of the worst cases is probably
an additional (unwanted) RA sent with infinite lifetime.

There are various tools that could be used to mitigate rogue RAs, e.g.
- Use of SEND (as and when it's implemented)
- Vendors adding RA snooping to L2 devices (doesn't help shared media though)

I think this is quite possible option. I discussed a vendor a year ago toimplement something that allow sending RA only from preconfigured MACaddresses. They think they might be able implement something like thatin their switches. No commitment yet...

- Using a higher precedence RA (assuming hosts/routers support it)

This not really helps. Malicious RA advertisers can use high priorityalso.

- Requiring L2 authentication, e.g. 802.1x (but that doesn't help against
 unwitting users)
- Using RA authentication (but then who does DHCP auth today?)
- Using host-based packet filters (but these need configuring)

I would list an other option also. Logging ICMPv6 activity - especiallyRS/RA. If the controlling/monitoring station is detecting incosistencythen alert the administrator about the MAC addresses of malicious"routers".


One concern here is there may be a push to define a default gateway option
(and maybe MTU option) for DHCPv6 if the people I have heard from are
typical of other admins.

Is there a WG viewpoint on the practical short and long term solution to
this problem?

In short term I think logging can alert admins. I long term a kind ofswitch assisted solution would nice to have. I am willing to invest somemore time to investigate the problem....


Regards,
Janos Mohacsi
Network Engineer
NIIF/HUNGARNET

Follow-Ups:
- Re: Operational comments on RAs vs DHC
  - From: Tim Chown <tjc@ecs.soton.ac.uk>

References:
- Operational comments on RAs vs DHC
  - From: Tim Chown <tjc@ecs.soton.ac.uk>

Prev by Date: Re: Review of v6ops-routing-guidelines ID
Next by Date: Re: Operational comments on RAs vs DHC
Previous by thread: Re: Operational comments on RAs vs DHC
Next by thread: Re: Operational comments on RAs vs DHC
Index(es):
- Date
- Thread