I have a problem with rogue RAs in my IPv6 network.
$Id: rogue-RA.html,v 1.2 2007/07/25 05:02:36 itojun Exp $
Just like rogue DHCPv4 server/relay agent problem, we do have rogue RA sender
problem (and/or rogue DHCPv6 server/relay agent problem).
Here are a list of possible solutions:
From our experiences, my choice would be rafixd.
- L2 switch solution: filter rogue RAs in the switches, just like
filter rogue DHCPv4. you can detect potential RA sources by
MLD joins to ff02::2 (all-routers link local multicast addr).
CONS: you cannot protect victims within the same wireless
base station, for instance.
- end node host firewall solution: at every node, look at the content
of RAs and reject them if they advertise prefixes like
CONS: not widely deployable, can filter false positives
- KAME rafixd: shoot down rogue RAs by announcing against those rogue
RAs with 0 prefix/router lifetime.
PROS: easy to deploy, maybe we should ship it with *BSD
CONS: need to take down the source of rogue RA anyways
- SEND: secure neighbor discovery.
CONS: deployment cost is ultra super expensive.
It is very unlikely that you have access to an implementation.
Note that the use of DHCPv6 is NOT a soultion, as you can see rogue DHCPv6
server/relay agent just like rogue RAs.
Copyright(c) 2007 by ipv6samurais.com. All rights reserved.
Unauthorized reproduction is strictly prohibited.