| draft-ietf-v6ops-ra-guard-07.txt | draft-ietf-v6ops-ra-guard-08.txt | |||
|---|---|---|---|---|
| v6ops Working Group E. Levy-Abegnoli | v6ops Working Group E. Levy-Abegnoli | |||
| Internet-Draft G. Van de Velde | Internet-Draft G. Van de Velde | |||
| Intended status: Informational C. Popoviciu | Intended status: Informational C. Popoviciu | |||
| Expires: March 6, 2011 Cisco Systems | Expires: March 6, 2011 Cisco Systems | |||
| J. Mohacsi | J. Mohacsi | |||
| NIIF/Hungarnet | NIIF/Hungarnet | |||
| September 02, 2010 | September 02, 2010 | |||
| IPv6 Router Advertisement Guard | IPv6 Router Advertisement Guard | |||
| <draft-ietf-v6ops-ra-guard-07.txt> | <draft-ietf-v6ops-ra-guard-08.txt> | |||
| Abstract | Abstract | |||
| When using IPv6 within a single L2 network segment it is possible and | Routed protocols are often susceptible to spoof attacks. The | |||
| sometimes desirable to enable layer 2 devices to drop rogue RAs | canonical solution for IPv6 is Secure Neighbor Discovery (SEND), a | |||
| before they reach end-nodes. In order to distinguish valid from | solution that is non-trivial to deploy. This document proposes a | |||
| rogue RAs, the L2 devices can use a spectrum of criteria, from a | light-weight alternative and complement to SEND based on filtering in | |||
| static scheme that blocks RAs received on un-trusted ports, or from | the layer-2 network fabric, using a variety of filtering criteria, | |||
| un-trusted sources, to a more dynamic scheme that uses Secure | including, for example, SEND status. | |||
| Neighbor Discovery (SEND) to challenge RA sources. | ||||
| This document reviews various techniques applicable on the L2 devices | ||||
| to reduce the threat of rogue RAs. | ||||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| skipping to change at page 4, line 31 | skipping to change at page 4, line 31 | |||
| span the spectrum from basic (where the port of the L2 device is | span the spectrum from basic (where the port of the L2 device is | |||
| statically instructed to forward or not to forward RAs received from | statically instructed to forward or not to forward RAs received from | |||
| the connected device) to advanced (where a criteria is used by the L2 | the connected device) to advanced (where a criteria is used by the L2 | |||
| device to dynamically validate or invalidate a received RA, this | device to dynamically validate or invalidate a received RA, this | |||
| criteria can even be based on SEND mechanisms). | criteria can even be based on SEND mechanisms). | |||
| 2. Model and Applicability | 2. Model and Applicability | |||
| RA-Guard applies to an environment where all messages between IPv6 | RA-Guard applies to an environment where all messages between IPv6 | |||
| end-devices traverse the controlled L2 networking devices. It does | end-devices traverse the controlled L2 networking devices. It does | |||
| not apply to a shared media such as an Ethernet hub, when devices can | not apply to a shared media, when devices can communicate directly | |||
| communicate directly without going through an RA-Guard capable L2 | without going through an RA-Guard capable L2 networking device. | |||
| networking device. | ||||
| Figure 1 illustrates a deployment scenario for RA-Guard. | Figure 1 illustrates a deployment scenario for RA-Guard. | |||
| Block Allow | Block Allow | |||
| +------+ incoming +---------+ incoming +--------+ | +------+ incoming +---------+ incoming +--------+ | |||
| |Host | RA | L2 | RA | Router | | |Host | RA | L2 | RA | Router | | |||
| | |----------------| device |--------------| | | | |----------------| device |--------------| | | |||
| +------+ +----+----+ +--------+ | +------+ +----+----+ +--------+ | |||
| | | | | |||
| |Block | |Block | |||
| End of changes. 3 change blocks. | ||||
| 14 lines changed or deleted | 9 lines changed or added | |||
This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||