[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Owen DeLong owend at he.net
Fri Sep 30 01:22:21 CEST 2011


On Sep 29, 2011, at 2:42 PM, Enno Rey wrote:

> Hi,
> 
> On Thu, Sep 29, 2011 at 02:29:25PM -0700, Owen DeLong wrote:
>> 
>> On Sep 29, 2011, at 2:25 PM, Enno Rey wrote:
>> 
>>> Hi,
>>> 
>>> On Thu, Sep 29, 2011 at 01:57:46PM -0700, Owen DeLong wrote:
>>>> The difference is that in IPv4, most (security conscious) people turn off
>>>> the ability to pay attention to redirects.
>>>> 
>>>> In IPv6, you cannot (unless you want to deal with static routes or a routing
>>>> protocol on EVERY host) ignore RA.
>>> 
>>> how would running a RP prevent dealing with RAs?
>> 
>> You can turn on, for example, OSPF for host to learn its gateway and then, it
>> can ignore RAs.
> 
> are you sure?
> Just went through RFC 4862 and I don't think a host can do anything else than (SLAAC with RAs|DHCPv6, not distributing a default gateway anyway|manual).
> 

Why is it that you imagine a host cannot:

1.	Have a manual address.
2.	Bring up an OSPF process on that manual address (along with its link local)
3.	Form an OSPF adjacency using its link local address
4.	Obtain routes via the OSPF process
5.	Install those routes in the host's routing table.

Once that is done, the host has routes.

RFC 4862 only covers addressing and it does, as you mention above, permit manual addressing.
Once you have a manual address, you can, indeed, use a routing protocol (documented in other
RFCs) in order to obtain routes whether default or otherwise.

Thus, there are at least three possible sources of routing information available to a host:

	1.	Manually configured routes.
	2.	RA based default gateways.
	3.	Routing Protocol learned routes.

As long as you have at least one of them available, you can (potentially) connect.

Owen




More information about the Ipv6hackers mailing list