Re: Handling rogue RA feedback

[Mohacsi Janos <mohacsi@niif.hu>]

Hi Stig,


On Thu, 16 Aug 2007, Stig Venaas wrote:

> Jun-ichiro itojun Hagino wrote:
> > 	i'll try to summarize what i know of about handling rogue RAs.
>
> Hi Itojun, some comments on this
>
> > 	- L2 switch solution: filter rogue RAs in the switches, just like
> > 	  filter rogue DHCPv4.  you can detect potential RA sources by
> > 	  MLD joins to ff02::2 (all-routers link local multicast addr).
> > 	  CONS: you cannot protect victims within the same wireless
> > 	  base station, for instance.
>
> I think L2 solutions that can restrict RAs to known router ports would
> be great.
> > 	- end node host firewall solution: at every node, look at the content
> > 	  of RAs and reject them if they advertise prefixes like
> > 	  fec0:0:0:xxxx::/64.
> > 	  CONS: not widely deployable, can filter false positives
> >
> > 	- KAME rafixd: shoot down rogue RAs by announcing against those rogue
> > 	  RAs with 0 prefix/router lifetime
> > 	  PROS: easy to deploy, maybe we should ship it with *BSD
> > 	  CONS: need to take down the source of rogue RA anyways


Another half solution is to monitor and alert malicious ND and RA usage.
Have a look at ndpmon at http://ndpmon.sf.net

I use it more than half a year now successfully.

> SEND can make things more secure. It does not help that much with regard
> to misconfiguration, except that the 2 hour rule is not a problem.

What SEND implementations are available around?

Best Regards,
		Janos Mohacsi