draft-ietf-v6ops-ra-guard-07.txt   draft-ietf-v6ops-ra-guard-08.txt 
v6ops Working Group E. Levy-Abegnoli v6ops Working Group E. Levy-Abegnoli
Internet-Draft G. Van de Velde Internet-Draft G. Van de Velde
Intended status: Informational C. Popoviciu Intended status: Informational C. Popoviciu
Expires: March 6, 2011 Cisco Systems Expires: March 6, 2011 Cisco Systems
J. Mohacsi J. Mohacsi
NIIF/Hungarnet NIIF/Hungarnet
September 02, 2010 September 02, 2010
IPv6 Router Advertisement Guard IPv6 Router Advertisement Guard
<draft-ietf-v6ops-ra-guard-07.txt> <draft-ietf-v6ops-ra-guard-08.txt>
Abstract Abstract
When using IPv6 within a single L2 network segment it is possible and Routed protocols are often susceptible to spoof attacks. The
sometimes desirable to enable layer 2 devices to drop rogue RAs canonical solution for IPv6 is Secure Neighbor Discovery (SEND), a
before they reach end-nodes. In order to distinguish valid from solution that is non-trivial to deploy. This document proposes a
rogue RAs, the L2 devices can use a spectrum of criteria, from a light-weight alternative and complement to SEND based on filtering in
static scheme that blocks RAs received on un-trusted ports, or from the layer-2 network fabric, using a variety of filtering criteria,
un-trusted sources, to a more dynamic scheme that uses Secure including, for example, SEND status.
Neighbor Discovery (SEND) to challenge RA sources.
This document reviews various techniques applicable on the L2 devices
to reduce the threat of rogue RAs.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
skipping to change at page 4, line 31 skipping to change at page 4, line 31
span the spectrum from basic (where the port of the L2 device is span the spectrum from basic (where the port of the L2 device is
statically instructed to forward or not to forward RAs received from statically instructed to forward or not to forward RAs received from
the connected device) to advanced (where a criteria is used by the L2 the connected device) to advanced (where a criteria is used by the L2
device to dynamically validate or invalidate a received RA, this device to dynamically validate or invalidate a received RA, this
criteria can even be based on SEND mechanisms). criteria can even be based on SEND mechanisms).
2. Model and Applicability 2. Model and Applicability
RA-Guard applies to an environment where all messages between IPv6 RA-Guard applies to an environment where all messages between IPv6
end-devices traverse the controlled L2 networking devices. It does end-devices traverse the controlled L2 networking devices. It does
not apply to a shared media such as an Ethernet hub, when devices can not apply to a shared media, when devices can communicate directly
communicate directly without going through an RA-Guard capable L2 without going through an RA-Guard capable L2 networking device.
networking device.
Figure 1 illustrates a deployment scenario for RA-Guard. Figure 1 illustrates a deployment scenario for RA-Guard.
Block Allow Block Allow
+------+ incoming +---------+ incoming +--------+ +------+ incoming +---------+ incoming +--------+
|Host | RA | L2 | RA | Router | |Host | RA | L2 | RA | Router |
| |----------------| device |--------------| | | |----------------| device |--------------| |
+------+ +----+----+ +--------+ +------+ +----+----+ +--------+
| |
|Block |Block
 End of changes. 3 change blocks. 
14 lines changed or deleted 9 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/