I have a problem with rogue RAs in my IPv6 network.
$Id: rogue-RA.html,v 1.2 2007/07/25 05:02:36 itojun Exp $
Just like rogue DHCPv4 server/relay agent problem, we do have rogue RA sender
problem (and/or rogue DHCPv6 server/relay agent problem).
Here are a list of possible solutions:
- L2 switch solution: filter rogue RAs in the switches, just like
filter rogue DHCPv4. you can detect potential RA sources by
MLD joins to ff02::2 (all-routers link local multicast addr).
CONS: you cannot protect victims within the same wireless
base station, for instance.
- end node host firewall solution: at every node, look at the content
of RAs and reject them if they advertise prefixes like
fec0:0:0:xxxx::/64.
CONS: not widely deployable, can filter false positives
- KAME rafixd: shoot down rogue RAs by announcing against those rogue
RAs with 0 prefix/router lifetime.
code
PROS: easy to deploy, maybe we should ship it with *BSD
CONS: need to take down the source of rogue RA anyways
- SEND: secure neighbor discovery.
CONS: deployment cost is ultra super expensive.
It is very unlikely that you have access to an implementation.
From our experiences, my choice would be rafixd.
Note that the use of DHCPv6 is NOT a soultion, as you can see rogue DHCPv6
server/relay agent just like rogue RAs.
Copyright(c) 2007 by ipv6samurais.com. All rights reserved.
Unauthorized reproduction is strictly prohibited.
[IPv6 demystified]
[IPv6Samurais]
[itojun]