Re: [v6ops] Rogue RAs was: ULA discussion #1 ULA+NAT
David Farmer <farmer@umn.edu> Thu, 07 March 2013 02:11 UTC
Return-Path: <farmer@umn.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9BC211E80C5 for <v6ops@ietfa.amsl.com>; Wed, 6 Mar 2013 18:11:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.085
X-Spam-Level:
X-Spam-Status: No, score=-6.085 tagged_above=-999 required=5 tests=[AWL=-0.086, BAYES_00=-2.599, J_CHICKENPOX_33=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dhV025lJnbKS for <v6ops@ietfa.amsl.com>; Wed, 6 Mar 2013 18:11:12 -0800 (PST)
Received: from vs-m.tc.umn.edu (vs-m.tc.umn.edu [134.84.135.97]) by ietfa.amsl.com (Postfix) with ESMTP id 9794521F867E for <v6ops@ietf.org>; Wed, 6 Mar 2013 18:11:03 -0800 (PST)
Received: from mail-ia0-f199.google.com (mail-ia0-f199.google.com [209.85.210.199]) by vs-m.tc.umn.edu (UMN smtpd) with ESMTP for <v6ops@ietf.org>; Wed, 6 Mar 2013 20:10:51 -0600 (CST)
X-Umn-Remote-Mta: [N] mail-ia0-f199.google.com [209.85.210.199] #+LO+TR
X-Umn-Classification: local
Received: by mail-ia0-f199.google.com with SMTP id w21so6240438iac.10 for <v6ops@ietf.org>; Wed, 06 Mar 2013 18:10:51 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:message-id:date:from:reply-to:organization :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding:x-gm-message-state; bh=kg35acNVlPUh1++q3S7ciptKPeeETVkIJ7J7qp8PJNo=; b=o4yo8PFz1Mecja+pWjUwT8s12eYr6EIDwkac+CCmU0T+ghTCLbBXBOD+6405UhCcDh MtuYiN7MQabfcAiR6Tk+IT3UPS807Lqx3U19yPjmwyzVjNy3IcKE8bxBNMxi7fZdvvUw 53IO+od2LUDCdN4WOY+SiOM7xO96CCeDeZxOsPIdtzgxyU6IfXOrIV5X5ip2oZa5AZVf OuGF16amdUkL7BvteMrW+VIWPDQYbpkcu7bA22vcPxFDSaXPX+s2rAXaabgvwwqzu13R 2T/0YQ2zuhCNr5AaIvBuvnkkpW4HIUrQSUEf30V0zT2FbBvRm8EDW4/5+rYLLQLK28/M W66Q==
X-Received: by 10.42.247.8 with SMTP id ma8mr32908055icb.1.1362622251303; Wed, 06 Mar 2013 18:10:51 -0800 (PST)
X-Received: by 10.42.247.8 with SMTP id ma8mr32908048icb.1.1362622251221; Wed, 06 Mar 2013 18:10:51 -0800 (PST)
Received: from x-128-101-232-75.uofm-secure.wireless.umn.edu ([2607:ea00:104:2000:9c17:33e9:b428:61cc]) by mx.google.com with ESMTPS id i10sm25258309igz.9.2013.03.06.18.10.49 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 06 Mar 2013 18:10:49 -0800 (PST)
Message-ID: <5137F729.8080108@umn.edu>
Date: Wed, 06 Mar 2013 20:10:49 -0600
From: David Farmer <farmer@umn.edu>
Organization: University of Minnesota
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130107 Thunderbird/17.0.2
MIME-Version: 1.0
To: Doug Barton <dougb@dougbarton.us>
References: <2D09D61DDFA73D4C884805CC7865E6113025BF29@GAALPA1MSGUSR9L.ITServices.sbc.com> <CD5AC622.4132B%victor@jvknet.com> <CAD6AjGShhaAcUuBOx1=oStB-_0CaJwpYO37J=6Kf12DrzhPdcg@mail.gmail.com> <51359B64.7090006@dougbarton.us> <CAKD1Yr1_Rt2vuWuOrW4VB4m2Fa8S9j-57V+zKQFdZEP9gGCnVg@mail.gmail.com> <5135A4F9.6070306@dougbarton.us> <CAKD1Yr3Nr61tMhFpjy3ck47qeu198=RH=9A_uD-a8T9zFtBMVQ@mail.gmail.com> <5135ABE2.5030004@dougbarton.us> <20130305083629.GA31370@spike.0x539.de> <5135B34F.8030809@dougbarton.us> <CAKD1Yr2+=9AM6K_RwiKi7RD4vGYN5Ha2zwLhYi9FAgjHMzu7Mg@mail.gmail.com> <5136C780.3070306@dougbarton.us> <CAKD1Yr1FKBwOoy+-aN6TfEBdozf6p0KSMNNVq1QfZCK03BaB1g@mail.gmail.com> <5137AABD.1050401@dougbarton.us> <CAKD1Yr1xo_KS-UUyUoshJVjVv=pHDLV0dLxUujT_Eo92U=WPPw@mail.gmail.com> <5137AEE8.2050308@dougbarton.us> <CAKD1Yr0V50=B=snWU2bpJk=gKdbPLOyawqoKO8VkQVrtEiLDPw@mail.gmail.com> <5137B118.8040904@dougbarton.us>
In-Reply-To: <5137B118.8040904@dougbarton.us>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQktksEZCvyWHBU09nbXah8CWyAYr4ilefWfWezaOSKtCE/6NiE+kFOZDMdEkYMazOlIKrMn5HDPT2Ey26SEDDXllVRE4HkrIZ62aw7ZJSDBmYx4WqhzsG6ARQ/caGBJB6534rEb
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] Rogue RAs was: ULA discussion #1 ULA+NAT
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: David Farmer <farmer@umn.edu>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Mar 2013 02:11:12 -0000
On 3/6/13 15:11 , Doug Barton wrote: > On 03/06/2013 01:06 PM, Lorenzo Colitti wrote: >> On Wed, Mar 6, 2013 at 1:02 PM, Doug Barton <dougb@dougbarton.us >> <mailto:dougb@dougbarton.us>> wrote: >> >> we have solutions for rogue RAs. >> >> >> Did you bring enough to share with the group? :) >> >> >> I think we're using the ones recommended by the IETF... > > So perhaps you would consider writing up a draft to describe your > deployment experience, how robust the solutions are under actual > testing, etc. I keep hearing from people that this problem isn't solved > yet. If you have solid evidence to the contrary it would be most welcome. We have a basic IPv6 inbound ACL on every wired access port blocking RAs and DHCP server responses for IPv4 and IPv6. By the way, IPv6 ACL support was a requirement when we selected our current switches in 2004. We also announce the RA from our routers with high priority. The later is necessary because our enterprise wireless solution doesn't support IPv6 ACLs yet. These techniques are discussed in RFC 6104. IPv6 ACLs or an automated RA-Guard, RFC 6105, block most rouge RAs caused by basic malicious activity or simple misconfiguration. Setting your routers RAs to high priority can deal with rogue RAs caused by simple misconfiguration in most cases. Draft-ietf-v6ops-ra-guard-implementation addresses some ways malicious activity can evade basic Rouge RA mitigation. That said the we haven't seen malicious activity in the wild. But, until we implemented the above techniques rogue RAs from simple misconfiguration were a huge issue. The above techniques have made our IPv6 network very stable. There is one additional technique we have used, that is filtering IPv6 traffic all together with a 86DD Ether-Type filter. This is a drastic solution, but is necessary in one part of our network. We have IPv6 enabled on our 802.1x/WPA2-enterprise authenticated wireless network, but the authentication portal for our web-portal authenticated wireless network doesn't support redirection of IPv6 traffic. Therefore, we filter all IPv6 traffic on the web-portal authenticated wireless network to prevent rogue RAs and make our entire network AAAA record safe. Bad or rogue IPv6 is worse than no IPv6. We are working with our enterprise wireless vendor to support IPv6 on their authentication portal and I believe it is a committed feature for a future release. Hope that helps. -- ================================================ David Farmer Email: farmer@umn.edu Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 1-612-626-0815 Minneapolis, MN 55414-3029 Cell: 1-612-812-9952 ================================================
- [v6ops] ULA discussion #1 ULA+NAT Liubing (Leo)
- Re: [v6ops] ULA discussion #1 ULA+NAT Victor Kuarsingh
- Re: [v6ops] ULA discussion #1 ULA+NAT Liubing (Leo)
- Re: [v6ops] ULA discussion #1 ULA+NAT Gert Doering
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT james woodyatt
- Re: [v6ops] ULA discussion #1 ULA+NAT STARK, BARBARA H
- Re: [v6ops] ULA discussion #1 ULA+NAT joel jaeggli
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT David Farmer
- Re: [v6ops] ULA discussion #1 ULA+NAT Victor Kuarsingh
- Re: [v6ops] ULA discussion #1 ULA+NAT Cameron Byrne
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Lorenzo Colitti
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Lorenzo Colitti
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Brian E Carpenter
- Re: [v6ops] ULA discussion #1 ULA+NAT Philipp Kern
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Lorenzo Colitti
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Brian E Carpenter
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Olle E. Johansson
- Re: [v6ops] ULA discussion #1 ULA+NAT David Farmer
- Re: [v6ops] ULA discussion #1 ULA+NAT Bill Jouris
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Victor Kuarsingh
- Re: [v6ops] ULA discussion #1 ULA+NAT Philipp Kern
- Re: [v6ops] ULA discussion #1 ULA+NAT David Farmer
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Bill Jouris
- Re: [v6ops] ULA discussion #1 ULA+NAT Bill Jouris
- Re: [v6ops] ULA discussion #1 ULA+NAT David Farmer
- Re: [v6ops] ULA discussion #1 ULA+NAT Lorenzo Colitti
- Re: [v6ops] ULA discussion #1 ULA+NAT Lorenzo Colitti
- Re: [v6ops] ULA discussion #1 ULA+NAT Lorenzo Colitti
- Re: [v6ops] ULA discussion #1 ULA+NAT Arturo Servin
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Lorenzo Colitti
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Lorenzo Colitti
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Lorenzo Colitti
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Mark Andrews
- Re: [v6ops] ULA discussion #1 ULA+NAT David Farmer
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT David Conrad
- Re: [v6ops] ULA discussion #1 ULA+NAT Mark Andrews
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT David Conrad
- Re: [v6ops] ULA discussion #1 ULA+NAT David Farmer
- Re: [v6ops] Rogue RAs was: ULA discussion #1 ULA+… David Farmer
- Re: [v6ops] ULA discussion #1 ULA+NAT Liubing (Leo)
- Re: [v6ops] ULA discussion #1 ULA+NAT Liubing (Leo)
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Liubing (Leo)
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Victor Kuarsingh
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT David Conrad
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT David Farmer
- Re: [v6ops] ULA discussion #1 ULA+NAT Ray Hunter
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Ray Hunter
- Re: [v6ops] ULA discussion #1 ULA+NAT Fernando Gont
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT David Farmer
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Philipp Kern
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT David Farmer
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Mark Smith
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Mark Smith
- Re: [v6ops] ULA discussion #1 ULA+NAT Brian E Carpenter
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Brian E Carpenter
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Gert Doering
- Re: [v6ops] ULA discussion #1 ULA+NAT Brian E Carpenter
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Ted Lemon
- Re: [v6ops] ULA discussion #1 ULA+NAT Tom Perrine
- Re: [v6ops] ULA discussion #1 ULA+NAT Joel Wirāmu Pauling
- Re: [v6ops] ULA discussion #1 ULA+NAT Doug Barton
- Re: [v6ops] ULA discussion #1 ULA+NAT Philipp Kern
- Re: [v6ops] ULA discussion #1 ULA+NAT Owen DeLong
- Re: [v6ops] ULA discussion #1 ULA+NAT Alexandru Petrescu