[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Handling rogue RA feedback

To: v6ops@ops.ietf.org
Subject: Re: Handling rogue RA feedback
From: itojun@itojun.org (Jun-ichiro itojun Hagino)
Date: Wed, 25 Jul 2007 09:14:24 +0900 (JST)
In-reply-to: Your message of "Tue, 24 Jul 2007 19:02:27 -0500" <4D942919-D97E-4D9D-9A13-9251E10CF0A4@muada.com>
References: <4D942919-D97E-4D9D-9A13-9251E10CF0A4@muada.com>

> > 	first of all, the above configuration violates RFC.  all routers has
> > 	to be configured with consistent RA parameters iirc.  i know it is  not
> > 	practiced in reality.
> 
> Then we fix this in a future version of the document. Obviously this  
> is an unworkable requirement in practice, and I don't see why it  
> should be needed anyway.

	it was about prefix lifetime if i remember correctly (for jinmei it
	is night time in Japan, but he will be here any moment).
	if two routers advertise different prefix lifetime, hosts will go
	crazy.

> > 	however, ICMPv6 redirect should take care of it if there's any issue
> > 	with that.  anything wrong with redirects, other than getting
> > 	(potentially tons of) /128 routes?
> 
> Redirect is based on destination address, I'm talking about the  
> source address. The number of source prefixes is so low and known by  
> the host anyway that having router feedback for this is not  
> necessary, the host can do this itself without help if implementing  
> this is desired.

	ok, then you are in the maze of policy routing.  see comments from me
	to arifumi@nttv6.net.

> > 	also, "RAs with more specific route" (RFC4191) may help you assuming
> > 	router Y is not a rogue router.
> 
> That's again for the destination address.

	yup.

> >> So trying to use the router that gave you the prefix for the source
> >> address you're using is a good start. The next one would be to avoid
> >> routers that announce obviously tunneled reachability such as 6to4 or
> >> Teredo.
> 
> > 	we've been there with KAME, and we conclued it is a bad idea to
> > 	tie prefixes/source address selection to routers/RAs.
> 
> What were the problems or disadvantages of doing that?

	the routers which issue RA, and the routers which terminate external
	links are not usually the same (unless you are in a home network where
	there's only single link).  so you do not have clear knowledge about
	how to issue RA parameters.  normally you only have 1 router on your
	link (which is not directly connected to the egress router), so you
	cannot have separate routers for separate prefixes.

  |	  |
egress1	egress2
  |	  |
==+=======+==
  |
router
  |
==+==
  |
router
  |
==+==
  |
your host

itojun

References:
- Re: Handling rogue RA feedback
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: Distributing site-wide RFC 3484 policy
Next by Date: cpe simple security and the opportunity cost of stateful packet filters
Previous by thread: Re: Handling rogue RA feedback
Next by thread: Re: Handling rogue RA feedback
Index(es):
- Date
- Thread