[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Handling rogue RA feedback

To: v6ops@ops.ietf.org
Subject: Re: Handling rogue RA feedback
From: itojun@itojun.org (Jun-ichiro itojun Hagino)
Date: Wed, 25 Jul 2007 07:11:14 +0900 (JST)
In-reply-to: Your message of "Tue, 24 Jul 2007 13:58:55 -0500" <4D6D43C5-0036-4F3D-9D83-B06D03AA7D97@muada.com>
References: <4D6D43C5-0036-4F3D-9D83-B06D03AA7D97@muada.com>

	i'll try to summarize what i know of about handling rogue RAs.

	- L2 switch solution: filter rogue RAs in the switches, just like
	  filter rogue DHCPv4.  you can detect potential RA sources by
	  MLD joins to ff02::2 (all-routers link local multicast addr).
	  CONS: you cannot protect victims within the same wireless
	  base station, for instance.

	- end node host firewall solution: at every node, look at the content
	  of RAs and reject them if they advertise prefixes like
	  fec0:0:0:xxxx::/64.
	  CONS: not widely deployable, can filter false positives

	- KAME rafixd: shoot down rogue RAs by announcing against those rogue
	  RAs with 0 prefix/router lifetime
	  PROS: easy to deploy, maybe we should ship it with *BSD
	  CONS: need to take down the source of rogue RA anyways

	using DHCPv6 is NOT a soultion, as you can see rogue DHCPv6 server/
	relay agent just like rogue RAs.
	  
itojun

Follow-Ups:
- Re: Handling rogue RA feedback
  - From: Stig Venaas <stig.venaas@uninett.no>
- Re: Handling rogue RA feedback
  - From: David Malone <dwmalone@maths.tcd.ie>
- Re: Handling rogue RA feedback
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- Handling rogue RA feedback
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: CPE equipments and stateful filters
Next by Date: Re: CPE equipments and stateful filters
Previous by thread: Re: Handling rogue RA feedback
Next by thread: Re: Handling rogue RA feedback
Index(es):
- Date
- Thread