IETF Logo Mail Archive

Re: [v6ops] Question regarding RA-Guard evasion (ND and extension headers)

"Manfredi, Albert E" <albert.e.manfredi@boeing.com> Thu, 23 June 2011 20:40 UTC

Return-Path: <albert.e.manfredi@boeing.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93ED321F8442; Thu, 23 Jun 2011 13:40:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5DxP1OoLCzf0; Thu, 23 Jun 2011 13:40:34 -0700 (PDT)
Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by ietfa.amsl.com (Postfix) with ESMTP id BBD9F21F8441; Thu, 23 Jun 2011 13:40:34 -0700 (PDT)
Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by slb-smtpout-01.ns.cs.boeing.com (8.14.4/8.14.4/8.14.4/SMTPOUT) with ESMTP id p5NKePWN010005 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 23 Jun 2011 13:40:26 -0700 (PDT)
Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_RELAY) with ESMTP id p5NKePw7007415; Thu, 23 Jun 2011 15:40:25 -0500 (CDT)
Received: from XCH-MWHT-03.mw.nos.boeing.com (xch-mwht-03.mw.nos.boeing.com [134.57.119.161]) by stl-av-01.boeing.com (8.14.4/8.14.4/UPSTREAM_RELAY) with ESMTP id p5NKeIfi007229 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Thu, 23 Jun 2011 15:40:23 -0500 (CDT)
Received: from XCH-MWPFX-01.mw.nos.boeing.com (132.173.24.10) by XCH-MWHT-03.mw.nos.boeing.com (134.57.119.161) with Microsoft SMTP Server (TLS) id 8.3.159.2; Thu, 23 Jun 2011 15:40:18 -0500
Received: from XCH-MW-08V.mw.nos.boeing.com ([134.57.118.180]) by XCH-MWPFX-01.mw.nos.boeing.com ([132.173.24.10]) with mapi; Thu, 23 Jun 2011 15:40:17 -0500
From: "Manfredi, Albert E" <albert.e.manfredi@boeing.com>
To: Ted Lemon <Ted.Lemon@nominum.com>
Date: Thu, 23 Jun 2011 15:40:12 -0500
Thread-Topic: [v6ops] Question regarding RA-Guard evasion (ND and extension headers)
Thread-Index: Acwx5H+3fTxU6Ru8TdaKVw/1a7H8agAALFYA
Message-ID: <B0147C3DD45E42478038FC347CCB65FE02AFD2A65D@XCH-MW-08V.mw.nos.boeing.com>
References: <282787FA-C418-430C-B473-152B4FFE900C@gmail.com> <m1QZLSP-0001h8C@stereo.hq.phicoh.net> <20110622210451.60ad8bce@opy.nosense.org> <alpine.DEB.2.00.1106221337411.19581@uplift.swm.pp.se> <CF7C688F-9262-4A6C-9B57-CFDDF94D246D@nominum.com> <20110623095548.24d89d7f@opy.nosense.org> <B5FBA399-6AAC-4036-A0D3-CAA546190B92@nominum.com> <alpine.DEB.2.00.1106230834580.19581@uplift.swm.pp.se> <63524B72-6890-48E4-926F-030744B415A2@nominum.com>
In-Reply-To: <63524B72-6890-48E4-926F-030744B415A2@nominum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
X-TM-AS-Product-Ver: SMEX-10.0.0.1412-6.500.1024-18218.000
X-TM-AS-Result: No--21.977600-0.000000-31
X-TM-AS-User-Approved-Sender: Yes
X-TM-AS-User-Blocked-Sender: No
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Thu, 23 Jun 2011 13:53:59 -0700
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: Re: [v6ops] Question regarding RA-Guard evasion (ND and extension headers)
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2011 20:40:35 -0000

Ted Lemon wrote:

> There probably is no single solution.   But let's consider the solution
> Mark proposed: use the fact that you control the infrastructure to
> control the flow of packets on the network in such a way that rogue RAs
> cannot reach leaf nodes.   The reason I object to this solution, in
> addition to the fact that it breaks multicast, is that it's a firewall
> solution: the client doesn't know it's safe, and as soon as it connects
> to a network that's not protected in this way, it's vulnerable.   But
> the model of using infrastructure control as a credential is
> interesting.

While I too find it hard to accept the ETTH solution as being "real" Ethernet, I believe it is the network that is trying to protect itself here, more than altruistic protection of clients. If clients are protected as a result, great.

Yes, in another network, those same clients might not be protected at all.

Your solutions appear to be more client-oriented.

Bert

v2.29.0 | Report a Bug | By Email | System Status