[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: rogue RA problem statement



Inline: GV>


> Le Tuesday 12 February 2008 21:27:50 Deepak Bansal (NETWORKING), vous avez écrit :
> > >The most recent last week was a
> > > Vista machine that somehow didn't pick up the real online RA, and 
> > >chose  to become a 6to4 router as a result (apparently... we'll try 
> > >to recreate  this one).
> >
> > Vista will not become a 6to4 router unless ICS is enabled on it. 
> > Hence, I suspect that the Vista machine in discussion here somehow had 
> > ICS enabled on it.

> I don't know how easy or difficult or manually or automatically enabling ICS is, but on a sizable (1000+) university > > with public IPv4 addresses, that has been a recurrent problem ever since we've provided IPv6 (4 years from now or so). > Vista "IPv6-on-by-default" did not really help since then. Still, XP SP2 is the by far the worst, has the built-in 
> firewall blocks incoming RA while booting up. Then the PC decides there is no IPv6 router (even though there *is*), and 
> turns on 6to4 gatewaying.

> Anyway, upgrading the switches to do some filtering is not an option. 

GV> this statement could be correct for the problem that XP SP2 experienced. 
GV> In other cases however filtering RA will however be a simple solution 
GV> for devices that behave according specification, as for example CPE routers attached to an access network of an ISP.
GV> I have real SP asking for RA-Guard like capability in their access networks for IPv6.
GV> SeND will not be deployed their for a long time for many reasons and hence RA-Guard behaviour 
GV> at local access-network switches is an elegant solution. 
GV> (I just don't buy the statement that SeND will solve their needs any time soon, if ever)

GV> Rogue-RA's is something that we should not avoid. It is a reality NOW, and will be for next 
GV> few years when v6 gets deployed further. We better understand the issue, so correct action 
GV> can be taken. Simply claiming SeND will solve 'all' is a bit academic I suspect. It can solve 
GV> certain aspects, but 'not all rogue-RA' issues in 'all environments'.

> Using SEND is not an option, especially as it's currently not supported by anything on the market. 

GV> this is next to the question of solving the root issue. Root issue is not related to SeND.

> So it looks like, 
> for the foreseeable future, reactive "0 lifetime" RA fixups will remain the only solution. As long as none of the > 
> automatic 6to4 gateways are doing UNICAST Router Advertisement, it works, even though it's an ugly hack.

GV> yes, but it is the practical consequence of a host implementation

G/