1 / 9

IPv6 RA-Guard

IPv6 RA-Guard. G. Van de Velde , E. Levy-Abegnoli, C. Popoviciu, J. Mohacsi. IETF 70, December 3th 2007 Vancouver. Concept Overview. Shared (public and non-public) L2 segments can be sensitive to Rogue-RA (draft-chown-v6ops-rogue-ra-00.txt provide problem space overview)

evadne
Download Presentation

IPv6 RA-Guard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 RA-Guard G. Van de Velde, E. Levy-Abegnoli, C. Popoviciu, J. Mohacsi IETF 70, December 3th 2007 Vancouver draft-vandevelde-v6ops-RA-guard-00.txt

  2. Concept Overview • Shared (public and non-public) L2 segments can be sensitive to Rogue-RA (draft-chown-v6ops-rogue-ra-00.txt provide problem space overview) • In most networks the devices sending out valid RA into a network are known or can be identified • RA-guard solution allows on an L2 network only RAs from these identified devices while blocking other, unauthorized RAs draft-vandevelde-v6ops-RA-guard-00.txt

  3. Example Valid Router 1 2 Layer-2 device (often a switch) 2 2 2 2 2 3 SLAAC etc. happens draft-vandevelde-v6ops-RA-guard-00.txt

  4. Example Valid Router 1 4 4 2 Layer-2 device (often a switch) 2 4 4 2 2 4 2 2 3 3 Dr. Evil Breaks IPv6 the network draft-vandevelde-v6ops-RA-guard-00.txt

  5. Example Valid Router 1 Actually, my name is Austin Powers. Danger is my middle name. RA-Guard will protect!! 4 RA Fwd 4 2 Layer-2 device (often a switch) 2 RA Block RA Block 4 4 2 2 RA Block RA Block 4 2 RA Block RA Block 2 3 3 Austin did it again! draft-vandevelde-v6ops-RA-guard-00.txt

  6. RA-Guard State-Machine • OFF • L2-device operates as if RA-guard did not exist • LEARNING • L2 device is actively acquiring information about the devices connected to its interfaces • Ports of the L2-device are blocking RA until declared valid based on pre-defined criteria • ACTIVE • The interfaces of devices with the RA-guard capability enabled can be in three possible states related to RA handling: Learning, Blocking and Forwarding draft-vandevelde-v6ops-RA-guard-00.txt

  7. RA-Guard Interface States • RA-Blocking • RA-Forwarding • RA-Learning • RA-Guard interface state transition draft-vandevelde-v6ops-RA-guard-00.txt

  8. RA-Guard pitfalls • The RA-Guard mechanism relies on the assumption that all messages between IPv6 devices in the target environment traverse the controlled L2 networking devices • RA-Guard mechanism does not protect against tunneled IPv6 traffic • RA-Guard does not provide any protection against the content or IPv6 addresses used with RA-messages draft-vandevelde-v6ops-RA-guard-00.txt

  9. draft-vandevelde-v6ops-RA-guard-00.txt THANK YOU! draft-vandevelde-v6ops-RA-guard-00.txt

More Related