Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice

Nick Hilliard <nick@inex.ie> Fri, 01 June 2012 13:33 UTC

Return-Path: <nick@inex.ie>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 389E621F8B6F for <v6ops@ietfa.amsl.com>; Fri, 1 Jun 2012 06:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b2NbrmnezEWp for <v6ops@ietfa.amsl.com>; Fri, 1 Jun 2012 06:33:36 -0700 (PDT)
Received: from mail.acquirer.com (mail.acquirer.com [IPv6:2a03:8900:0:100::5]) by ietfa.amsl.com (Postfix) with ESMTP id 7D7AF21F8B6D for <v6ops@ietf.org>; Fri, 1 Jun 2012 06:33:35 -0700 (PDT)
X-Envelope-To: <v6ops@ietf.org>
Received: from cupcake.local ([IPv6:2001:1bb8:2004:100:f0f2:ab4f:abfc:e662]) (authenticated bits=0) by mail.acquirer.com (8.14.4/8.14.4) with ESMTP id q51DXMqS031917 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <v6ops@ietf.org>; Fri, 1 Jun 2012 14:33:24 +0100 (IST) (envelope-from nick@inex.ie)
Message-ID: <4FC8C4AD.3000609@inex.ie>
Date: Fri, 01 Jun 2012 14:33:33 +0100
From: Nick Hilliard <nick@inex.ie>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: v6ops@ietf.org
References: <7BAC243D-7B55-460E-B36C-52CA83F12B78@gmail.com> <4FC6AAD4.4090108@si6networks.com> <13205C286662DE4387D9AF3AC30EF456D76C44FF13@EMBX01-WF.jnpr.net> <4FC7864D.8000307@si6networks.com> <13205C286662DE4387D9AF3AC30EF456D76C450163@EMBX01-WF.jnpr.net> <4FC7934B.4010205@si6networks.com> <49E46AEE-9BB2-4A08-8069-29D692B21B6B@gmail.com> <4FC7BE00.10403@si6networks.com> <67981392-14C0-46D6-B8E4-D50BEDF7D5FE@gmail.com> <4FC81786.10207@gont.com.ar> <F6D9E3C8-9360-4EB1-BB05-1F29ED42D21D@gmail.com>
In-Reply-To: <F6D9E3C8-9360-4EB1-BB05-1F29ED42D21D@gmail.com>
X-Enigmail-Version: 1.4.1
X-Company-Info-1: Internet Neutral Exchange Association Limited. Registered in Ireland No. 253804
X-Company-Info-2: Registered Offices: 1-2, Marino Mart, Fairview, Dublin 3
X-Company-Info-3: Internet Neutral Exchange Association Limited is limited by guarantee
X-Company-Info-4: Offices: 4027 Kingswood Road, Citywest, Dublin 24.
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [v6ops] Last Call: <draft-ietf-v6ops-ra-guard-implementation-04.txt> (Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)) to Best Current Practice
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2012 13:33:37 -0000

On 01/06/2012 13:44, RJ Atkinson wrote:
> If the RA Guard built into the Layer-2 device is built using
> software on an off the shelf CPU/NP, then the device likely 
> can't parse the entire IPv6 header chain at wire speed -- 
> thereby creating a new easily exploited DOS attack vector
> on the RA Guard device.  This seems like a cure worse than
> the disease -- as the Ethernet switch connecting everything dies.

not really: this is why we have control plane policing.

Nick