[ipv6-wg] New draft document available: Requirements For IPv6 in ICT Equipment

Hi,

On Thu, Oct 07, 2010 at 11:11:17AM +0200, João Damas wrote:
> > > Enterprise switch:
> > > - RA-guard: your enemy is not -unsolicited- RA, your enemy is
> > >    -unauthorized- RA. As in, the laptop your sales guy brought in
> > >    announcing itself as the gateway to the world, even if RA was solicited.
> > 
> > AFAIK RA-guard prevents RA packets being sent from ports, that are "declared" as "hosts" ports and connected hosts not authorized to send RA as such.
> > 
> 
> how is a host-based mechanism based on prevention of outgoing
> packets ever going to work? I mean, it can prevent accidents (perhaps,
> it is not a guarantee, look at usual list of ad-hoc Wifi SSIDs at
> any event) but it sure won't prevent intentional unauthorised RAs.

RA-guard is not host-based but switch-based.  You configure the switch
"*this* is the port where the router lives" and RAs on all other ports
are filtered.

See draft-ietf-v6ops-ra-guard-*.txt

Gert Doering
-- 
did you enable IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279