IPv6 RA-Guard - PowerPoint PPT Presentation

About This Presentation
Title:

IPv6 RA-Guard

Description:

Shared (public and non-public) L2 segments can be sensitive to Rogue-RA (draft ... Dr. Evil Breaks IPv6 the network. draft-vandevelde-v6ops-RA-guard-00.txt. 5. Example ... – PowerPoint PPT presentation

Number of Views:112
Avg rating:3.0/5.0
Slides: 10
Provided by: guntervand
Learn more at: https://www.ietf.org
Category:
Tags: guard | ipv6 | nonevil

less

Transcript and Presenter's Notes

Title: IPv6 RA-Guard


1
IPv6 RA-Guard
  • G. Van de Velde, E. Levy-Abegnoli, C. Popoviciu,
  • J. Mohacsi

IETF 70, December 3th 2007 Vancouver
2
Concept Overview
  • Shared (public and non-public) L2 segments can be
    sensitive to Rogue-RA (draft-chown-v6ops-rogue-ra-
    00.txt provide problem space overview)
  • In most networks the devices sending out valid RA
    into a network are known or can be identified
  • RA-guard solution allows on an L2 network only
    RAs from these identified devices while blocking
    other, unauthorized RAs

3
Example
Valid Router
1
Layer-2 device (often a switch)
2
2
2
2
2
2
3
SLAAC etc. happens
4
Example
Valid Router
1
4
4
Layer-2 device (often a switch)
2
2
4
4
2
2
4
2
2
3
3
Dr. Evil Breaks IPv6 the network
5
Example
Valid Router
1
Actually, my name is Austin Powers. Danger is my
middle name. RA-Guard will protect!!
4
4
RA Fwd
Layer-2 device (often a switch)
2
2
RA Block
RA Block
4
4
2
2
RA Block
RA Block
4
2
2
RA Block
RA Block
3
3
Austin did it again!
6
RA-Guard State-Machine
  • OFF
  • L2-device operates as if RA-guard did not exist
  • LEARNING
  • L2 device is actively acquiring information about
    the devices connected to its interfaces
  • Ports of the L2-device are blocking RA until
    declared valid based on pre-defined criteria
  • ACTIVE
  • The interfaces of devices with the RA-guard
    capability enabled can be in three possible
    states related to RA handling Learning, Blocking
    and Forwarding

7
RA-Guard Interface States
  • RA-Blocking
  • RA-Forwarding
  • RA-Learning
  • RA-Guard interface state transition

8
RA-Guard pitfalls
  • The RA-Guard mechanism relies on the assumption
    that all messages between IPv6 devices in the
    target environment traverse the controlled L2
    networking devices
  • RA-Guard mechanism does not protect against
    tunneled IPv6 traffic
  • RA-Guard does not provide any protection against
    the content or IPv6 addresses used with
    RA-messages

9
  • draft-vandevelde-v6ops-RA-guard-00.txt
  • THANK YOU!
Write a Comment
User Comments (0)
About PowerShow.com