Re: [v6ops] Mitigation against IPv6 Router Advertisements flooding - draft-moonesamy-ra-flood-limit-00
S Moonesamy <sm+ietf@elandsys.com> Fri, 05 July 2013 04:09 UTC
Return-Path: <sm@elandsys.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 265E821F8EEA for <v6ops@ietfa.amsl.com>; Thu, 4 Jul 2013 21:09:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GsJ5xnXdI7K5 for <v6ops@ietfa.amsl.com>; Thu, 4 Jul 2013 21:09:37 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 402C221F93E5 for <v6ops@ietf.org>; Thu, 4 Jul 2013 21:09:36 -0700 (PDT)
Received: from SUBMAN.elandsys.com ([197.224.134.75]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r6549Gu9026477 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 4 Jul 2013 21:09:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1372997368; bh=FjgwU0Nf74edDOTGIi8/l2urM1t2RD6Z98egrJDrwow=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=JMU4yHp7voEJnLC0SQgHcWIGRfkxjgD/ejgJXzL9LXQqrit0jMXGUn1fmOG+HLvVj EfCCWgcGUhb/MfQN/L55ltkFN7p0dZ3Fns2QkNPdXnLvoVHyZPrye4OtlSANqsCsfv XiZXRHSkoVch92PY7UxjSdMB1dMvIEMsKeAEFcuc=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1372997368; i=@elandsys.com; bh=FjgwU0Nf74edDOTGIi8/l2urM1t2RD6Z98egrJDrwow=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=YL5D9mK8hiWdyuXljJoRootSexLxKU+OvCKs08OkUt16hsLoGayQURueFQxhpcp0y L7cJlzTMYCdCKsVJUm9gPS1Us2WhSlHnPrWWXyRzD3hofFHqYXqrpx5NMfw2VtTJvJ t2xreKW5M6rLNAi8JuuVrKyjsVmeUuB9iEujppPs=
Message-Id: <6.2.5.6.2.20130704192850.0d06e8b8@elandnews.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Thu, 04 Jul 2013 20:27:19 -0700
To: Arturo Servin <arturo.servin@gmail.com>
From: S Moonesamy <sm+ietf@elandsys.com>
In-Reply-To: <51D55CF0.9010301@gmail.com>
References: <6.2.5.6.2.20130702145424.0af37160@elandnews.com> <51D4CD90.5070005@gmail.com> <6.2.5.6.2.20130703220114.0c8241b8@resistor.net> <51D55CF0.9010301@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: v6ops@ietf.org
Subject: Re: [v6ops] Mitigation against IPv6 Router Advertisements flooding - draft-moonesamy-ra-flood-limit-00
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2013 04:09:38 -0000
Hi Arturo, At 04:30 04-07-2013, Arturo Servin wrote: > Sorry, I should have said "Or are these recommendations orthogonal >to a network applying RA Guard?" Yes. > I think the ansewer is still yes. But for that reason I think that >you should mention that this is an add-on to RA Guard (not instead of, >not criticizing it) and it is intended to provide some security >mechanisms to the host when the network administrator do not have this >capability (RA-Guard) in its network. I think that we are looking at this from two different angles. I can look at this in terms of: (a) how does the network protect the host (b) how is the host protected If there is a protection for (a), for example, Router Advertisement Guard, (b) might not be much of a problem. If the host is protected, the question being asked is whether (a) is needed or not. I am not trying to answer that question as there is existing code for doing (b) and that is what the draft is talking about. What the person writing the code for the host may wish to say is that their system provides for the limits mentioned in draft-moonesamy-ra-flood-limit-00. > In the end, having RA-Guard could solve enteraly this problem, but >when it is not provided by the network the host should have mechanisms >to defend itself. Then is when your draft applies. Does it make sense my >comment? Yes, I understood what you wrote. In my opinion it depends on your security posture. Some people may prefer to put security closer to the end whereas others might find it better to do it centrally. RFC 6104 discusses about scenarios and different methods to mitigate against rogue Router Advertisements. In my opinion that is where the above is more relevant. What the code does is to prevent the host it is running on from crashing. Regards, S. Moonesamy
- [v6ops] Mitigation against IPv6 Router Advertisem… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… Rui Paulo
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… David Farmer
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… David Farmer
- Re: [v6ops] Mitigation against IPv6 Router Advert… Arturo Servin
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… Arturo Servin
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… David Farmer
- Re: [v6ops] Mitigation against IPv6 Router Advert… Arturo Servin
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… Fernando Gont
- Re: [v6ops] Mitigation against IPv6 Router Advert… S Moonesamy
- Re: [v6ops] Mitigation against IPv6 Router Advert… Fernando Gont