HP IPv6 RA Guard

Ray Soucy rps at maine.edu
Tue Dec 6 13:46:22 UTC 2011

I think of RA Guard as a Layer-2 stability feature, rather than a
security feature.

You're correct that it is unable to deal with RA crafted in a
fragmented packet on the majority (if not all) of implementations.

The issue of rogue RA exists on every network, regardless of whether
or not the IT group has deployed IPv6 or is aware of the IPv6 traffic
on that network.

Windows ICS is the most common "accidental" cause of rogue RA on a LAN.

On Mon, Dec 5, 2011 at 10:35 PM, Daniel Espejel
<daniel.unam.ipv6 at gmail.com> wrote:
> So,still assuming the fact that attackers will use the same "traditional
> ipv4" methods to alter the correct functioning over a network?...Well,
> maybe. Toda's IPv6 expertise for some network andmins and security
> experts is minimal. So most trainning and understanding before
> implementing its a good idea.
> For example, the RA-Guard method has a significant vulnerability: It's
> not designed to identify a "complex" IPv6-many extension headers formed
> packet (F. Gont - 6Networks). Some other security oriented mechanisms
> may fail because of the low IPv6 compliance.
> Regards.
> --
> Daniel Espejel Pérez
> Técnico Académico
> D.G.T.I.C. - U.N.A.M.
> GT-IPv6 CLARA / GT-IPv6 U.N.A.M.

Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System

More information about the NANOG mailing list