[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Eric Vyncke (evyncke) evyncke at cisco.com
Wed Aug 29 08:08:46 CEST 2012

Generally (based on the HW), Cisco switches have the option of dropping 'undertermined-transport' packets (= first fragment where there is no layer 4 information) which, when combined with RA-guard, then does the job.

Specifically about Cat 3560-X, the HW cannot do it but can drop all fragments sent from a LLA (in addition to RA-guard). Which is the best it can do, this would prevent the fragmented rogue RA attack but could also have some false positive (which is why I am a strong supporter of your other I-D about those packets)


> -----Original Message-----
> From: Fernando Gont [mailto:fgont at si6networks.com]
> Sent: mardi 28 août 2012 19:44
> To: IPv6 Hackers Mailing List
> Cc: Eric Vyncke (evyncke)
> Subject: Re: [ipv6hackers] "Stick to limited IPv6 deployments,
> businesses warned"
> Hi, Eric,
> On 08/28/2012 11:15 AM, Eric Vyncke (evyncke) wrote:
> >
> > With my Cisco hat, I would like to add that 15.0(2)SE does bring
> > RA-guard to Cat 3560 since 10 days or so.
> Key question: "Traditional" RA-Guard, or something along the lines of
> draft-ietf-v6ops-ra-guard-implementation?
> Thanks!
> Cheers,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list