This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ipv6-wg@ripe.net/
[ipv6-wg] Fwd: RA-Guard: Advice on the implementation (feedback requested)
- Next message (by thread): [ipv6-wg] RIPE-501 replacement draft, version 7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Fernando Gont
fgont at si6networks.com
Thu Feb 2 02:26:12 CET 2012
Folks, You've proabably read about this a few times -- still, most implementations remain broken. If you care to get this fixed, please provide feedback about this I-D on the IETF *v6ops* mailing-list <v6ops at ietf.org>, and CC me if possible. Thanks! Best regards, Fernando -------- Original Message -------- Subject: RA-Guard: Advice on the implementation (feedback requested) Date: Wed, 01 Feb 2012 21:44:29 -0300 From: Fernando Gont <fgont at si6networks.com> Organization: SI6 Networks To: IPv6 Operations <v6ops at ietf.org> Folks, We have just published a revision of our I-D "Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)" <http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-implementation-01.txt>. In essence, this is the problem statement, and what this I-D is about: * RA-Guard is essential to have feature parity with IPv4. * Most (all?) existing RA-Guard implementations can be trivially evaded: if the attacker includes extension headers in his packets, the RA-Guard devices fail to identify the Router Advertisement messages. -- For instance, THC's "IPv6 attack suite" (<http://www.thc.org/thc-ipv6/>) contains tools that can evade RA-Guard as indicated. * The I-D discusses this problem, and provides advice on how to implement RA-Guard, such that the aforementioned vulnerabilities are eliminated, we have an effective RA-Guard device, and hence feature-parity with IPv4. We'd like feedback on this I-D, including high-level comments on whether you support the proposal in this I-D. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont at si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- Next message (by thread): [ipv6-wg] RIPE-501 replacement draft, version 7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]