1 / 8

IPv6 RA-Guard

IPv6 RA-Guard. G. Van de Velde, E. Levy-Abegnoli , C. Popoviciu, J. Mohacsi. IETF 71, March 11/14th 2008 Philadelphia. Draft objective. Complement SeND where it is not (1) convenient or (2) possible to use SeND to defend against Rogue RA

paul
Download Presentation

IPv6 RA-Guard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 RA-Guard G. Van de Velde, E. Levy-Abegnoli, C. Popoviciu, J. Mohacsi IETF 71, March 11/14th 2008 Philadelphia draft-vandevelde-v6ops-ra-guard-01.txt

  2. Draft objective • Complement SeND where it is not (1) convenient or (2) possible to use SeND to defend against Rogue RA • RA-guard is “no replacement” for SeND but a tool to work together with SeND draft-vandevelde-v6ops-ra-guard-01.txt

  3. SEND deployment model C0 trusted anchor certificate with pfx_list=P0 Certificate Authority CA0 CRL (revocation list) Subordinate Certificate Authority CA1 CR certificate with pfx_list=PR host router RA (pfx_list=PR) CPA (CR) draft-vandevelde-v6ops-ra-guard-01.txt

  4. Proposed Deployment model C0 certificate with pfx_list=P0 CA0 CRL CA1 CR certificate with pfx_list=PR host router RA (pfx_list=PR) CPA (CR) draft-vandevelde-v6ops-ra-guard-01.txt

  5. RA-Guard complementing SeND • RA-guard "SeND-validating" RA on behalf of hosts would potentially simplify some of the current deployment challenges: • It may take time until SeND is ubiquitous (i.e. issues concerning provisioning hosts with trust anchors or SP access-networks with non-managed CPE) • It is also reasonable to expect that some devices might not consider implementing SeND (i.e. IPv6 enabled sensors) • RA-guard intends to provide simple solutions to the rogue-RA problem: • Through a simple solution by filtering/snooping potential Rogue-RA • In others, leverage SeND between capable devices (L2 and routers) to provide protection to devices that do not consistently use SeND draft-vandevelde-v6ops-ra-guard-01.txt

  6. RA-Guard Use Considerations • RA-traffic must go “through” a RA-Guard L2 controlled networking device • Tunneled traffic is not protected • RA-Guard could protect content of an RA draft-vandevelde-v6ops-ra-guard-01.txt

  7. Next steps • Adopt as WG item? draft-vandevelde-v6ops-ra-guard-01.txt

  8. draft-vandevelde-v6ops-ra-guard-01.txt THANK YOU! draft-vandevelde-v6ops-ra-guard-01.txt

More Related