[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: rogue RA problem statement
Inline: GV>
> Le Tuesday 12 February 2008 21:27:50 Deepak Bansal (NETWORKING), vous avez écrit :
> > >The most recent last week was a
> > > Vista machine that somehow didn't pick up the real online RA, and
> > >chose to become a 6to4 router as a result (apparently... we'll try
> > >to recreate this one).
> >
> > Vista will not become a 6to4 router unless ICS is enabled on it.
> > Hence, I suspect that the Vista machine in discussion here somehow had
> > ICS enabled on it.
> I don't know how easy or difficult or manually or automatically enabling ICS is, but on a sizable (1000+) university > > with public IPv4 addresses, that has been a recurrent problem ever since we've provided IPv6 (4 years from now or so). > Vista "IPv6-on-by-default" did not really help since then. Still, XP SP2 is the by far the worst, has the built-in
> firewall blocks incoming RA while booting up. Then the PC decides there is no IPv6 router (even though there *is*), and
> turns on 6to4 gatewaying.
> Anyway, upgrading the switches to do some filtering is not an option.
GV> this statement could be correct for the problem that XP SP2 experienced.
GV> In other cases however filtering RA will however be a simple solution
GV> for devices that behave according specification, as for example CPE routers attached to an access network of an ISP.
GV> I have real SP asking for RA-Guard like capability in their access networks for IPv6.
GV> SeND will not be deployed their for a long time for many reasons and hence RA-Guard behaviour
GV> at local access-network switches is an elegant solution.
GV> (I just don't buy the statement that SeND will solve their needs any time soon, if ever)
GV> Rogue-RA's is something that we should not avoid. It is a reality NOW, and will be for next
GV> few years when v6 gets deployed further. We better understand the issue, so correct action
GV> can be taken. Simply claiming SeND will solve 'all' is a bit academic I suspect. It can solve
GV> certain aspects, but 'not all rogue-RA' issues in 'all environments'.
> Using SEND is not an option, especially as it's currently not supported by anything on the market.
GV> this is next to the question of solving the root issue. Root issue is not related to SeND.
> So it looks like,
> for the foreseeable future, reactive "0 lifetime" RA fixups will remain the only solution. As long as none of the >
> automatic 6to4 gateways are doing UNICAST Router Advertisement, it works, even though it's an ugly hack.
GV> yes, but it is the practical consequence of a host implementation
G/