[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rogue RA problem statement

To: v6ops@ops.ietf.org
Subject: Re: rogue RA problem statement
From: Tim Chown <tjc@ecs.soton.ac.uk>
Date: Tue, 12 Feb 2008 14:51:20 +0000
In-reply-to: <BF2E98E2-FCA9-4C0A-882C-9256E59CB49E@cisco.com>
Mail-followup-to: v6ops@ops.ietf.org
References: <20080209085845.682F53A8176@core3.amsl.com> <BF2E98E2-FCA9-4C0A-882C-9256E59CB49E@cisco.com>
User-agent: Mutt/1.4.2.2i

(subject line updated)

On Mon, Feb 11, 2008 at 10:04:03AM -0800, Fred Baker wrote:
>
>   The RA discussion
>     draft-chown-v6ops-rogue-ra if Tim updates it
>     draft-vandevelde-v6ops-ra-guard

Hi,

On the rogue RA problem statement, Stig and I don't feel there is much
point in an update at this stage, and also that presenting the same
issue for a 3rd time would be beneficial.

Looking back on IETF70 minutes (I wasn't there) they say:
	http://tools.ietf.org/wg/v6ops/minutes

which boils down to 'use SEND' on one hand, and some support from 
Iljitsch and Francis on the other.

We're seeing more instances of the problem being reported, e.g. on the
Internet2 list yesterday as a result of the Joint Techs meeting.

We're seeing the problem resurface on our own network (some 1500 dual-stack
hosts on wired and wireless access).   The most recent last week was a 
Vista machine that somehow didn't pick up the real online RA, and chose
to become a 6to4 router as a result (apparently... we'll try to recreate
this one).

I think there's various underlying issues here.

1) Not everyone will deploy SEND, in fact maybe very few networks will.
It would be useful for some SEND fud to perhaps be wiped away, since at
present it seems 'up there' with Authenticated DHCP for deployment as
far as the people I ask reply.

2) Rogue RAs can happen for various accidental or malicious reasons, so
monitoring your link for 'bad' RAs is prudent regardless.   We've looked
at rafixd and are working on some improvements to that as a monitoring
and possibly corrective tool.    This can be rolled into monitoring as 
per ndpmon, perhaps.   So these are new things that should be detectable.

3) There are 'simple' fixes that could be made available today, e.g. a
switch option to en/disable RAs inbound per switch/stack or per port,
which would help just as MLD snooping can do, or DHCP blocking today.

4) The issues with RAs are why people seem keen to use DHCPv6, and the
same people do ask about DHCPv6 default router options (regardless of
the (lack of) security with DHCPv6 itself).

Now, I think (4) is contentious but there could be progress on (1)-(3).

Anyway, perhaps the list could guide on updates to the problem statement,
and what it says (loosely) about solution spaces.

Obviously Gunter is working a little separately on RA Guard as one
possible solution.

-- 
Tim

Follow-Ups:
- Re: rogue RA problem statement
  - From: Fred Baker <fred@cisco.com>
- Re: rogue RA problem statement
  - From: Mohacsi Janos <mohacsi@niif.hu>

References:
- Initial agenda for IETF 71
  - From: Fred Baker <fred@cisco.com>

Prev by Date: 6rd - Rapid Deployment on existing IPv4 infrastructures - a new approach
Next by Date: Re: rogue RA problem statement
Previous by thread: Re: Initial agenda for IETF 71
Next by thread: Re: rogue RA problem statement
Index(es):
- Date
- Thread