[ipv6hackers] Revised IETF I-D: Advice on RA-Guard Implementation

Jim Small jim.small at cdw.com
Sat Jan 7 02:54:36 CET 2012


I don't feel qualified to post to the v6Ops list, but I will post something here:

For section 3:
I like the idea of being able to limit the number of extension headers.

For the second bullet, the minimum MTU for IPv6 is 1280 - is there a legitimate reason that the extension headers would ever need to exceed this length?  Even with fragmentation, is there really a need for any extension headers not to be in the first fragment?  If not is there more of an algorithmic way to state this - follow this formula to determine if all EH's aren't in the first fragment?  To have the equivalent of DHCP snooping in IPv6 my thought is there would need to be a formulaic approach which could be programmed into an ASIC.

I applaud your effort to propose a solution to the IETF/v6Ops to update the standards instead of just pointing out how they're broken.


-----Original Message-----
From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of Fernando Gont
Sent: Wednesday, January 04, 2012 8:02 PM
To: IPv6 Hackers Mailing List
Subject: [ipv6hackers] Revised IETF I-D: Advice on RA-Guard Implementation


We've published the IETF I-D "Implementation Advice for IPv6 Router
Advertisement Guard (RA-Guard)". It is available at:

This I-D is based on our original I-D
draft-gont-v6ops-ra-guard-evasion-01, but now focuses on providing
advice to RA-Guard implementations, rather than on the evasion
techniques that have been found effective against most popular
implementations of RA-Guard.

Producing effective RA-Guard implementations is important to provide
feature parity with similar mitigation techniques already available and
employed in the IPv4 world.

Any feedback will be greatly appreciated. -- If possible, send your
feedback to: <v6ops at ietf.org> (the relevant IETF mailing-list), and CC'me.


Best regards,
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com

More information about the Ipv6hackers mailing list