mailing list archives
Fwd: IPv6 RA-Guard: Advice on the implementation (feedback requested)
From: Fernando Gont <fernando () gont com ar>
Date: Thu, 02 Feb 2012 00:38:09 -0300
Not sure if I had posted on this list about RA-Guard evasion issues.
Anyway...nowadays most implementations remain vulnerable.
If you care to get this fixed, please provide feedback about this I-D on
the IETF *v6ops* mailing-list <v6ops () ietf org>, and CC me if possible
(please see below).
-------- Original Message --------
Subject: RA-Guard: Advice on the implementation (feedback requested)
Date: Wed, 01 Feb 2012 21:44:29 -0300
From: Fernando Gont <fgont () si6networks com>
Organization: SI6 Networks
To: IPv6 Operations <v6ops () ietf org>
We have just published a revision of our I-D "Implementation Advice for
IPv6 Router Advertisement Guard (RA-Guard)"
In essence, this is the problem statement, and what this I-D is about:
* RA-Guard is essential to have feature parity with IPv4.
* Most (all?) existing RA-Guard implementations can be trivially evaded:
if the attacker includes extension headers in his packets, the RA-Guard
devices fail to identify the Router Advertisement messages. -- For
instance, THC's "IPv6 attack suite" (<http://www.thc.org/thc-ipv6/>)
contains tools that can evade RA-Guard as indicated.
* The I-D discusses this problem, and provides advice on how to
implement RA-Guard, such that the aforementioned vulnerabilities are
eliminated, we have an effective RA-Guard device, and hence
feature-parity with IPv4.
We'd like feedback on this I-D, including high-level comments on whether
you support the proposal in this I-D.
e-mail: fernando () gont com ar || fgont () si6networks com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- Fwd: IPv6 RA-Guard: Advice on the implementation (feedback requested) Fernando Gont (Feb 02)