[Attendee] Rogue RA
lcreg-nanog at convergence.cx
lcreg-nanog at convergence.cx
Wed Jun 17 14:19:10 UTC 2009
On purely the topic of RAs for 6to4 space, it should be easy to implement
a security knob in most stacks such not to accept RAs for 2001::/32 or
2002::/16
Dave.
On Wed, 17 Jun 2009, joel jaeggli wrote:
> Date: Wed, 17 Jun 2009 07:15:51 -0700
> From: joel jaeggli <joelja at gmail.com>
> To: Michael Sinatra <michael at rancid.berkeley.edu>
> Cc: attendee at nanog.org
> Subject: Re: [Attendee] Rogue RA
>
> The rogue dhcp server has to reply faster than the actual one. We
> don't actually have an protection against rogue dhcp servers currently
> in my understanding. so if you don't see any it's because there aren't
> any.
>
> joel
>
> On Wed, Jun 17, 2009 at 7:08 AM, Michael
> Sinatra<michael at rancid.berkeley.edu> wrote:
> > On 6/16/09 3:25 PM, Tom Pusateri wrote:
> >> Shouldn't we see the same problem with rogue DHCP servers in v4?
> >
> > That's what has always confused me. Part of the reason we may not is
> > that the rogue comes on-line at a time when nobody is doing DHCPDISCOVER
> > and then goes off-line. OTOH, if the rogue sends out just one RA, other
> > machines will configure the address and might even add a candidate route
> > immediately, regardless of whether they already have a v6 address.
> >
> > However, I have been in other situations where I see RAs in IPv6, but I
> > don't have rogue DHCP issues in v4 on a particular net. (At the same
> > time, we do see a bunch of rogue DHCP servers on our wireless nets at
> > Berkeley.)
> >
> > michael
> >
> > _______________________________________________
> > Attendee mailing list
> > Attendee at nanog.org
> > http://mailman.nanog.org/mailman/listinfo/attendee
> >
>
> _______________________________________________
> Attendee mailing list
> Attendee at nanog.org
> http://mailman.nanog.org/mailman/listinfo/attendee
>
More information about the Attendee
mailing list