Re: RFC 5006 and draft-ietf-v6ops-rogue-ra-01

[Tim Chown <tjc@ecs.soton.ac.uk>]

On 8 Jun 2010, at 22:24, Dale W. Carder wrote:

> In the latest version of draft-ietf-v6ops-rogue-ra-01, section
> 5.5 talks about recovering from an invalid configuration state
> w.r.t. the M & O bits.  
> 
> Should the document also mentioned that the host may also have 
> incorrect, non-functional, or potentially malicious DNS 
> configuration due to the host believing bogus RFC 5006 
> advertisements?  The host may also need to recover from this
> as well.


So that's a good question.    When the rogue RA draft was first written, RFC5006 was I recall itself a draft in its infancy.     It's pretty clear that a rogue RA may also be an RA with 'bad' DNS resolver information in it.
 
We could add text about this.   That would involve some mention of the problem in Section 1 (introduction), perhaps a brief discussion as an extra point in Section 5, and adding the mitigation mentioned in draft-ietf-6man-dns-options-bis-02 of disabling the host from processing DNS options in the RA (assuming the host implementation supports that of course, which isn't a MUST in the draft as far as I can see).   Other than that, I think the text in the draft about rogue RA 'badness' is generic enough to cover bad DNS information.   I'm happy to work with Stig on such text if it's deemed useful, and won't hold up publication too much more.

I note that draft-ietf-6man-dns-options-bis-02, which passed 6man WG last call, makes no reference to the rogue RA draft in its own security discussion, and also no mention of RA Guard.

Tim