On 16-aug-2007, at 11:23, Stig Venaas wrote:
Like you did above, I think we should try to look at what issues people currently see with rogue RAs and whether there are ways to improve RAs.
The main problem I experience, and have heard from others, is that if an administrator through misconfiguration announces the wrong prefix (e.g.router misconfiguration, wrong VLAN ID on a switch port, etc), someoneplugs a network cable in the wrong switch port, or some host by accident announces bad RAs etc, then this will often affect all the IPv6 hosts on the link. With DHCP you only affect the hosts that request configuration before the problem is fixed. I.e. if an administrator reacts quickly theimpact of this error is much smaller than with RAs.
There are some obvious solutions to this. One is to only accept RAs at startup.
That goes against the way RAs and prefixes time out and you can't renumber anymore.
What would help a lot is to ignore RAs with only 6to4 and site local prefixes (not just the prefixes, the entire RA) if there are also RAs from one or more other routers with non-6to4 / non-site local prefixes. 6to4 / site local are the prefixes that tend to be advertised by mistake.
Making sure you match the outgoing gateway with the source address prefix would pretty much do this automatically because 6to4 addresses are explicitly avoided in RFC 3484 tables and site local has a large "CIDR distance" from global unicast addresses.
An easy way to maintain a "bad router" list (which are then filtered) would also help.