100 likes | 282 Views
IPv6 RA-Guard draft-ietf-v6ops-ra-guard-00.txt. G. Van de Velde, E. Levy-Abegnoli, C. Popoviciu, J. Mohácsi. 72nd IETF - Dublin, Ireland 27 July - 1 August 2008. Draft objective. Complement SeND where it is not (1) convenient or (2) possible to use SeND to defend against Rogue RA
E N D
IPv6 RA-Guarddraft-ietf-v6ops-ra-guard-00.txt G. Van de Velde, E. Levy-Abegnoli, C. Popoviciu, J. Mohácsi 72nd IETF - Dublin, Ireland 27 July - 1 August 2008 draft-ietf-v6ops-ra-guard-00.txt
Draft objective • Complement SeND where it is not (1) convenient or (2) possible to use SeND to defend against Rogue RA • RA-guard is “no replacement” for SeND but a tool to work together with SeND draft-ietf-v6ops-ra-guard-00.txt
RA-Guard Usage Considerations • RA-traffic must go “through” a RA-Guard networking device - limited applicability in certain wireless networks • Tunneled traffic is not protected • RA-Guard could protect content of an RAmessage draft-ietf-v6ops-ra-guard-00.txt
New WG draft • Updated and (hopefully) clarified from individual draft from last time • Clarification of RA-guard operation modes: Deny (based on criteria), allow (based on criteria), allow from SEND authorised sources • Make more clear what “pre-defined criteria” mean • For the SEND authorised mode introduction of terminology of “router authorization proxy” - or should we call “SEND validating device” - which is the right terminology? • Should we call ra-guard device in general cases? draft-ietf-v6ops-ra-guard-00.txt
Comments and Next steps • Comments so far from WG: • Simplify state machine (from Christian Vogt): device/interface - device level probably not necessary - the authors are working on an update state machine • Define clearly pre-defined criteria (from Christian Vogt) • Describe “router authorisation proxy” operation (from Arnaud Ebalard) • Describe behaviour in case of multiple devices sending accepted RA messages (from Arnaud Ebalard) • Next • Address further comments from WG • Fixing typos (Thanks to Arnaud Ebalard) draft-ietf-v6ops-ra-guard-00.txt
draft-ietf-v6ops-ra-guard-00.txt THANK YOU! draft-ietf-v6ops-ra-guard-00.txt
Backup slides From IETF71 draft-ietf-v6ops-ra-guard-00.txt
SEND deployment model C0 trusted anchor certificate with pfx_list=P0 Certificate Authority CA0 CRL (revocation list) Subordinate Certificate Authority CA1 CR certificate with pfx_list=PR host router RA (pfx_list=PR) CPA (CR) draft-ietf-v6ops-ra-guard-00.txt
Proposed Deployment model C0 certificate with pfx_list=P0 CA0 CRL CA1 CR certificate with pfx_list=PR host router RA (pfx_list=PR) CPA (CR) draft-ietf-v6ops-ra-guard-00.txt
RA-Guard complementing SeND • RA-guard "SeND-validating" RA on behalf of hosts would potentially simplify some of the current deployment challenges: • It may take time until SeND is ubiquitous (i.e. issues concerning provisioning hosts with trust anchors or SP access-networks with non-managed CPE) • It is also reasonable to expect that some devices might not consider implementing SeND (i.e. IPv6 enabled sensors) • RA-guard intends to provide simple solutions to the rogue-RA problem: • Through a simple solution by filtering/snooping potential Rogue-RA • In others, leverage SeND between capable devices (L2 and routers) to provide protection to devices that do not consistently use SeND draft-ietf-v6ops-ra-guard-00.txt