[LAC-TF] Fwd: RA-Guard: Advice on the implementation (feedback requested)
Fernando Gont
fgont at si6networks.com
Wed Feb 1 23:49:44 BRST 2012
Estimados,
Mas de uno debe haber leido sobre el tema de evasión de RA-Guard en mas
de una oportunidad (incluyendo:
<http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard.html>).
Acabo de publicar una revision de un IETF I-D que describe el problema,
y propone una solución.
Sin embargo, a menos que el documento reciba apoyo, el mismo va a quedar
en la nada, y será menos probable que los fabricantes arreglen sus
implemantaciones.
Dicho de otro modo, si te importa que este problema se arregle, envía
tus comentatios a la lista del v6ops wg <v6ops at ietf.org> (se pueden
suscribir en: <https://www.ietf.org/mailman/listinfo/v6ops>, y de ser
posible, copiame. Caso contrario, sigamos lamentandonos....
Saludos cordiales, y gracias!
Best regards,
Fernando
-------- Original Message --------
Subject: RA-Guard: Advice on the implementation (feedback requested)
Date: Wed, 01 Feb 2012 21:44:29 -0300
From: Fernando Gont <fgont at si6networks.com>
Organization: SI6 Networks
To: IPv6 Operations <v6ops at ietf.org>
Folks,
We have just published a revision of our I-D "Implementation Advice for
IPv6 Router Advertisement Guard (RA-Guard)"
<http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-implementation-01.txt>.
In essence, this is the problem statement, and what this I-D is about:
* RA-Guard is essential to have feature parity with IPv4.
* Most (all?) existing RA-Guard implementations can be trivially evaded:
if the attacker includes extension headers in his packets, the RA-Guard
devices fail to identify the Router Advertisement messages. -- For
instance, THC's "IPv6 attack suite" (<http://www.thc.org/thc-ipv6/>)
contains tools that can evade RA-Guard as indicated.
* The I-D discusses this problem, and provides advice on how to
implement RA-Guard, such that the aforementioned vulnerabilities are
eliminated, we have an effective RA-Guard device, and hence
feature-parity with IPv4.
We'd like feedback on this I-D, including high-level comments on whether
you support the proposal in this I-D.
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the LACTF
mailing list