Rogue RAs (was Re: DHCP)

[Rémi Denis-Courmont <rdenis@simphalempin.com>]

On Tuesday 24 July 2007 21:22:36 Tim Chown wrote:
> As Itojun has spotted, there are rogue IPv6 RAs on the network, so IPv6
> is not necessarily any better for you in this type of network.

There are really two different sorts of "rogue" RAs. Different in 
their "motivation" and different in the way you can deal with them.

One type is the evil RA, that is purposedly meant to do something nasty. That, 
I think, can only really be dealt with proper layer-2 access security, or 
with SeND. Using DHCP only raises the implementation complexity for the evil 
guys, as you pointed out yesterdat.


The other type, is the lamely configured node. Most often that will be a host 
that automatically servers as 6to4 gateway when it has a public IPv4 address. 
I think Windows XP SP2 or Vista do that with Internet connection sharing 
enabled, for instance. I doubt we need protocol extensions for this 
particular case. It might be common at interop.net (incl. IETF) meetings, and 
rampant in some universities campuses, but that's about it.

For that case, beside the various kludges we've already discussed during/after 
Prague:
- 2002:... advertisements that do not include a non-6to4 non-site-local prefix 
when there is at least one such prefix on the same link (defensive mechanism) 
could be ignored altogether,
- "promiscuous" automated 6to4 routers should likely not advertise on any 
interface that is assigned a public IPv4 address since other nodes on the 
link can most likely get 6to4 by themselves,
...

-- 
Rémi Denis-Courmont