IPv6 RA-Guard - PowerPoint PPT Presentation

About This Presentation
Title:

IPv6 RA-Guard

Description:

RA-guard is 'no replacement' for SeND but a tool to work ... RA-Guard could protect content of an RA. draft-vandevelde-v6ops-ra-guard-01.txt. 7. Next steps ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 9
Provided by: guntervand
Learn more at: https://www.ietf.org
Category:
Tags: content | guard | ipv6 | provided

less

Transcript and Presenter's Notes

Title: IPv6 RA-Guard


1
IPv6 RA-Guard
  • G. Van de Velde, E. Levy-Abegnoli, C. Popoviciu,
  • J. Mohacsi

IETF 71, March 11/14th 2008 Philadelphia
2
Draft objective
  • Complement SeND where it is not (1) convenient or
    (2) possible to use SeND to defend against Rogue
    RA
  • RA-guard is no replacement for SeND but a tool
    to work together with SeND

3
SEND deployment model
C0 trusted anchor certificate with pfx_listP0
Certificate Authority CA0
CRL (revocation list)
Subordinate Certificate Authority CA1
CR certificate with pfx_listPR
host
router
RA (pfx_listPR)
CPA (CR)
4
Proposed Deployment model
C0 certificate with pfx_listP0
CA0
CRL
CA1
CR certificate with pfx_listPR
host
router
RA (pfx_listPR)
CPA (CR)
5
RA-Guard complementing SeND
  • RA-guard "SeND-validating" RA on behalf of hosts
    would potentially simplify some of the current
    deployment challenges
  • It may take time until SeND is ubiquitous (i.e.
    issues concerning provisioning hosts with trust
    anchors or SP access-networks with non-managed
    CPE)
  • It is also reasonable to expect that some devices
    might not consider implementing SeND (i.e. IPv6
    enabled sensors)
  • RA-guard intends to provide simple solutions to
    the rogue-RA problem
  • Through a simple solution by filtering/snooping
    potential Rogue-RA
  • In others, leverage SeND between capable devices
    (L2 and routers) to provide protection to devices
    that do not consistently use SeND

6
RA-Guard Use Considerations
  • RA-traffic must go through a RA-Guard L2
    controlled networking device
  • Tunneled traffic is not protected
  • RA-Guard could protect content of an RA

7
Next steps
  • Adopt as WG item?

8
  • draft-vandevelde-v6ops-ra-guard-01.txt
  • THANK YOU!
Write a Comment
User Comments (0)
About PowerShow.com