Re: [v6ops] Mitigation against IPv6 Router Advertisements flooding - draft-moonesamy-ra-flood-limit-00

S Moonesamy <> Sat, 06 July 2013 00:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4412A11E80F3 for <>; Fri, 5 Jul 2013 17:47:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.577
X-Spam-Status: No, score=-102.577 tagged_above=-999 required=5 tests=[AWL=-0.022, BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7jKaziNX6NOZ for <>; Fri, 5 Jul 2013 17:47:31 -0700 (PDT)
Received: from ( [IPv6:2001:470:f329:1::1]) by (Postfix) with ESMTP id 4031221F9FF9 for <>; Fri, 5 Jul 2013 17:47:30 -0700 (PDT)
Received: from ([]) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id r660l9N7025043 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 5 Jul 2013 17:47:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail2010; t=1373071642; bh=VLViFhGQ2sSnPaZ2Svqqhw9d3YMLbYuTfRRX9Cqhpxw=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=sTwBX9mOq1r3u40/8OO0ytsJG0l8yr23zW0t0/poPnsoThoBmzu9ryLjIsiCus1d0 81JpxpuVoQeuXE6ZOrrAS5RQWtcIXp0/u0uLyStJJtGuda3TnfEbo3Gl5u30SgAx+G ej8UJacmtD7P+8+AcMjpo8pH+gM4ukpR6/ju99mM=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1373071642;; bh=VLViFhGQ2sSnPaZ2Svqqhw9d3YMLbYuTfRRX9Cqhpxw=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=PuQw2o8rzOva36SEvdA82miMvg+6ridtIb5FbvND9D69NEvyq/H7/HyT2wXlCN/DS C8FU92vsTJ+N6pxZs8mDa3OH+fJmPJ0vaL4zcyN5x/OtQWQShVVvui9ImCHvKXOpL/ yAnmekKK5QwjSFUTRHyLax3paB1qL+NKscPy3z8Q=
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Fri, 05 Jul 2013 13:03:17 -0700
To: David Farmer <>, Arturo Servin <>
From: S Moonesamy <>
In-Reply-To: <>
References: <> <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: Re: [v6ops] Mitigation against IPv6 Router Advertisements flooding - draft-moonesamy-ra-flood-limit-00
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 06 Jul 2013 00:47:32 -0000

Hi Arturo, David,
At 08:52 05-07-2013, David Farmer wrote:
>I think some kind of applicability statement would be a useful 
>addition to the Draft.

 From an IETF Stream perspective it's difficult to assess how to 
write an applicability statement in this context.

>   I'm less worried about a network operators deciding that they 
> don't need to implement RA-Guard because their hosts implement 
> RA-Flood-Limit.  I'm more concerned about OS vendors or 
> implementors deciding they don't need to implement RA-Flood-Limit 
> because they view this as a network operator issue and if only the 
> network operators would just implement RA-Guard then RA-Flood-Limit 
> wouldn't be necessary.

I see.

>I think it needs to be made clear that both RA-Guard and 
>RA-Flood-Limit are independently necessary to ensure both the 
>security and stability of a network and its hosts.

Let me see if I can write some text to discuss the network versus host angle.

>1. RA-Guard or the other the techniques discussed in RFC6104 can 
>effectively prevent RAs sourced from hosts either by malicious 
>activity or simple miss-configuration.  But, RA-Guard can do little 
>to prevent RAs caused by software or hardware bugs within, or 
>miss-configuration of the network itself.

I prefer not to comment about this. :-)

>2. RA-Flood-Limit prevents the consequences of many different RAs 
>being seen by a host, regardless of the source of those RAs.  But, 
>can not distinguish between the source of the RAs, and may allow 
>malicious configuration of the host.


>3. Therefore, implementation of BOTH RA-Guard and RA-Flood-Limit are 
>necessary to ensure BOTH the security and stability of a network and its hosts.

I think that the above looks at the proposal as a solution to the RA 
flooding problem whereas the scope of the proposal is a mitigation to 
a problem which a host may encounter.

At 09:06 05-07-2013, Arturo Servin wrote:
>     I also agree with you that both RA-Guard and RA-Flood-Limit are
>necessary. I think those statements should be added to the draft.

Please see the comment above about the scope.

S. Moonesamy