This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ipv6-wg@ripe.net/
[ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)
- Previous message (by thread): [ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)
- Next message (by thread): [ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gunter Van de Velde (gvandeve)
gvandeve at cisco.com
Mon Sep 5 10:12:41 CEST 2011
Hi Fernando, I gave you my feedback and some advice during the IETF in Quebec in a 1-2-1 email. My hopes are that you integrate the feedback. The draft RA-Guard is correct and needs no fixing. I agree that my security section in the RA-Guard RFC is a bit light on content. However the main thing is that implementations for RA-Guard use traditional ACLs for achieving the goal and then ofcours these implementations can be bypassed with well known and documented ACL's bypass techniques. You can keep rambling the kettle here, but keep the above in mind if you desire to proceed with this work. G/ -----Original Message----- From: ipv6-wg-bounces at ripe.net [mailto:ipv6-wg-bounces at ripe.net] On Behalf Of Fernando Gont Sent: 05 September 2011 05:54 To: ipv6-wg at ripe.net Subject: [ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security) Folks, A few months ago I had published a couple of IETF Internet-Drafts to tackle the problem of RA-Guard evasion -- A summary of the problem and pointers to relevant materials is available at: http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard. html The two I-Ds are: * http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-01.txt * http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-01.txt The former one explains the different attack vectors, and proposes operational counter-measures. The latter proposes a longer-term solution. I'm planning to revise these two I-Ds soon, so any comments/feedback/discussion would be really welcome. P.S.: In case you haven't, you may want to join the IPv6 Hackers mailing-list: http://www.si6networks.com/community/mailing-lists.html Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont at si6networks.com web: http://www.si6networks.com
- Previous message (by thread): [ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)
- Next message (by thread): [ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]