[ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)

Hi Fernando,

I gave you my feedback and some advice during the IETF in Quebec in a
1-2-1 email.
My hopes are that you integrate the feedback.

The draft RA-Guard is correct and needs no fixing. I agree that my
security section in the RA-Guard RFC 
is a bit light on content. However the main thing is that
implementations for RA-Guard use traditional ACLs for achieving the goal
and then ofcours these implementations can be bypassed with well known
and documented ACL's bypass techniques.

You can keep rambling the kettle here, but keep the above in mind if you
desire to proceed with this work.

G/

-----Original Message-----
From: ipv6-wg-bounces at ripe.net [mailto:ipv6-wg-bounces at ripe.net] On
Behalf Of Fernando Gont
Sent: 05 September 2011 05:54
To: ipv6-wg at ripe.net
Subject: [ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)

Folks,

A few months ago I had published a couple of IETF Internet-Drafts to
tackle the problem of RA-Guard evasion -- A summary of the problem and
pointers to relevant materials is available at:
http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard.
html

The two I-Ds are:

* http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-01.txt
* http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-01.txt

The former one explains the different attack vectors, and proposes
operational counter-measures. The latter proposes a longer-term
solution.

I'm planning to revise these two I-Ds soon, so any
comments/feedback/discussion would be really welcome.

P.S.: In case you haven't, you may want to join the IPv6 Hackers
mailing-list: http://www.si6networks.com/community/mailing-lists.html

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
web: http://www.si6networks.com