[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

I-D Action:draft-ietf-v6ops-ra-guard-01.txt



A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IPv6 Operations Working Group of the IETF.


	Title           : IPv6 RA-Guard
	Author(s)       : E. Levy-Abegnoli, et al.
	Filename        : draft-ietf-v6ops-ra-guard-01.txt
	Pages           : 10
	Date            : 2008-09-10

It is particularly easy to experience "rogue" routers on an unsecured
link.  Devices acting as a rougue router may send illegitimate RAs.
Section 6 of SeND [RFC3971] provides a full solution to this problem,
by enabling routers certification.  This solution does, however,
require all nodes on an L2 network segment to support SeND, as well
as it carries some deployment challenges.  End-nodes must be
provisioned with certificate anchors.  The solution works better when
end-nodes have access to a Certificate Revocation List server, and to
a Network Time Protocol server, both typically off-link, which brings
some bootstrap issues.

When using IPv6 within a single L2 network segment it is possible and
sometimes desirable to enable layer 2 devices to drop rogue RAs
before they reach end-nodes.  In order to distinguish valid from
rogue RAs, the L2 devices can use a spectrum of criterias, from a
static scheme that blocks RAs received on un-trusted ports, or from
un-trusted sources, to a more dynamic scheme that uses SeND to
challenge RA sources.

This document reviews various techniques applicable on the L2 devices
to reduce the threat of rogue RAs.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-v6ops-ra-guard-01.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
<ftp://ftp.ietf.org/internet-drafts/draft-ietf-v6ops-ra-guard-01.txt>