[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rogue RA problem statement



Le Tuesday 12 February 2008 21:27:50 Deepak Bansal (NETWORKING), vous avez 
écrit :
> >The most recent last week was a
> > Vista machine that somehow didn't pick up the real online RA, and chose
> > to become a 6to4 router as a result (apparently... we'll try to recreate
> > this one).
>
> Vista will not become a 6to4 router unless ICS is enabled on it. Hence, I
> suspect that the Vista machine in discussion here somehow had ICS enabled
> on it.

I don't know how easy or difficult or manually or automatically enabling ICS 
is, but on a sizable (1000+) university with public IPv4 addresses, that has 
been a recurrent problem ever since we've provided IPv6 (4 years from now or 
so). Vista "IPv6-on-by-default" did not really help since then. Still, XP SP2 
is the by far the worst, has the built-in firewall blocks incoming RA while 
booting up. Then the PC decides there is no IPv6 router (even though there 
*is*), and turns on 6to4 gatewaying.

Anyway, upgrading the switches to do some filtering is not an option. Using 
SEND is not an option, especially as it's currently not supported by anything 
on the market. So it looks like, for the foreseeable future, reactive "0 
lifetime" RA fixups will remain the only solution. As long as none of the 
automatic 6to4 gateways are doing UNICAST Router Advertisement, it works, 
even though it's an ugly hack.

-- 
Rémi Denis-Courmont
http://www.remlab.net/