IETF Logo Mail Archive

Re: [76attendees] Rogue IPv6 RA

"Hemant Singh (shemant)" <shemant@cisco.com> Tue, 10 November 2009 05:38 UTC

Return-Path: <shemant@cisco.com>
X-Original-To: 76attendees@core3.amsl.com
Delivered-To: 76attendees@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9334E3A69CB for <76attendees@core3.amsl.com>; Mon, 9 Nov 2009 21:38:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.794
X-Spam-Level:
X-Spam-Status: No, score=-5.794 tagged_above=-999 required=5 tests=[AWL=0.205, BAYES_00=-2.599, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTDBdEaPk-ZA for <76attendees@core3.amsl.com>; Mon, 9 Nov 2009 21:38:38 -0800 (PST)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 80BEE3A69B3 for <76attendees@ietf.org>; Mon, 9 Nov 2009 21:38:38 -0800 (PST)
Authentication-Results: rtp-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAAeL+EqtJV2d/2dsb2JhbADEWJdsgjCCDgSBaA
X-IronPort-AV: E=Sophos;i="4.44,714,1249257600"; d="scan'208";a="67167147"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rtp-iport-1.cisco.com with ESMTP; 10 Nov 2009 05:39:04 +0000
Received: from xbh-rcd-202.cisco.com (xbh-rcd-202.cisco.com [72.163.62.201]) by rcdn-core-6.cisco.com (8.14.3/8.14.3) with ESMTP id nAA5d4So025805; Tue, 10 Nov 2009 05:39:04 GMT
Received: from xmb-rcd-114.cisco.com ([72.163.62.156]) by xbh-rcd-202.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 9 Nov 2009 23:39:04 -0600
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 09 Nov 2009 23:39:02 -0600
Message-ID: <AF742F21C1FCEE4DAB7F4842ABDC511C1C297A@XMB-RCD-114.cisco.com>
In-Reply-To: <20091110053624.GB5468@anago.fumi.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [76attendees] Rogue IPv6 RA
Thread-Index: Acphx8THwg1R5Qh2ROSXZL0qJeEVnAAAC8bw
References: <m24op4b94l.wl%sekiya@wide.ad.jp> <m27htz9fsq.wl%sekiya@wide.ad.jp> <20091110053624.GB5468@anago.fumi.org>
From: "Hemant Singh (shemant)" <shemant@cisco.com>
To: Masafumi OE <masa@fumi.org>, 76attendees@ietf.org
X-OriginalArrivalTime: 10 Nov 2009 05:39:04.0163 (UTC) FILETIME=[1D03EB30:01CA61C8]
Subject: Re: [76attendees] Rogue IPv6 RA
X-BeenThere: 76attendees@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <76attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/76attendees>, <mailto:76attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/76attendees>
List-Post: <mailto:76attendees@ietf.org>
List-Help: <mailto:76attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/76attendees>, <mailto:76attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2009 05:38:39 -0000

Looks like another Thinkpad machine because the OUI for this new
mac-addr matches the OUI of the previous machine sending Rogue RA.

00-1B-77   (hex)		Intel Corporate
001B77     (base 16)    Intel Corporate
				Lot 8, Jalan Hi-Tech 2/3
				Kulim Hi-Tech Park
				Kulim Kedah 09000
				MALAYSIA

Hemant

-----Original Message-----
From: 76attendees-bounces@ietf.org [mailto:76attendees-bounces@ietf.org]
On Behalf Of Masafumi OE
Sent: Tuesday, November 10, 2009 2:36 PM
To: 76attendees@ietf.org
Subject: Re: [76attendees] Rogue IPv6 RA

Dear All,

"00:21:6b:3c:8c:e2" has been blocked from IETF76 WiFi at 2:00pm.

Please, people who owns this client contact to the Helpdesk in 
the terminal room or NOC in the UME(4th Floor).
(See the IETF message board)

Also, we are hunting another Rouge RA client on the venue.
MAC address is "00:1b:77:bc:a4:e6" in the ORCHID West.
If RA sending from this client will be continued, we will block 
the client.

Regards,

--
Masafumi OE/ NAOJ


On Tue, Nov 10, 2009 at 01:15:01PM +0900,
 Yuji Sekiya wrote:

> At Mon, 09 Nov 2009 13:43:54 +0900,
> Yuji Sekiya wrote:
> 
> Dear IETF76 participants,
> 
> In Cattleya West Root room the below client is still
> sending Rogue RA. The client also sent it yesterday.
> 
> 00:21:6b:3c:8c:e2
> 
> The machine name is "T400" by DHCP log.
> 
> We will kick out the client from wireless network
> at 2:00pm.
> 
> Please check MAC address of your PC.
> 
> Regards,
> 
> -- Yuji Sekiya
> 
> 
> 
> > Dear IET76 Attendees,
> > This is Yuji Sekiya, IETF NOC.
> > 
> > Someone's laptop announces Rogue IPv6 RA on
> > SSID:ietf network.
> > 
> > We send fake RAs with routerlifetime=0, so your computer
> > may not be affected, however, the Rogue RAs are still announced.
> > 
> > MAC addresses of laptop which announces Rogue RA are
> > 
> >    00:1b:77:bc:a4:e6
> >    00:21:6b:3c:8c:e2
> > 
> > Please STOP announcement of Rogue RA !!!
> > 
> > -- Yuji Sekiya
> > 
> > _______________________________________________
> > 76attendees mailing list
> > 76attendees@ietf.org
> > https://www.ietf.org/mailman/listinfo/76attendees
> > 
> _______________________________________________
> 76attendees mailing list
> 76attendees@ietf.org
> https://www.ietf.org/mailman/listinfo/76attendees

-- 
Masafumi OE, Astronomy Data Center, NAOJ.
_______________________________________________
76attendees mailing list
76attendees@ietf.org
https://www.ietf.org/mailman/listinfo/76attendees

v2.23.0 | Report a Bug | By Email