[ipv6hackers] Revised IETF I-D: Advice on RA-Guard Implementation
jim.small at cdw.com
Sat Jan 7 02:54:36 CET 2012
I don't feel qualified to post to the v6Ops list, but I will post something here:
For section 3:
I like the idea of being able to limit the number of extension headers.
For the second bullet, the minimum MTU for IPv6 is 1280 - is there a legitimate reason that the extension headers would ever need to exceed this length? Even with fragmentation, is there really a need for any extension headers not to be in the first fragment? If not is there more of an algorithmic way to state this - follow this formula to determine if all EH's aren't in the first fragment? To have the equivalent of DHCP snooping in IPv6 my thought is there would need to be a formulaic approach which could be programmed into an ASIC.
I applaud your effort to propose a solution to the IETF/v6Ops to update the standards instead of just pointing out how they're broken.
From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of Fernando Gont
Sent: Wednesday, January 04, 2012 8:02 PM
To: IPv6 Hackers Mailing List
Subject: [ipv6hackers] Revised IETF I-D: Advice on RA-Guard Implementation
We've published the IETF I-D "Implementation Advice for IPv6 Router
Advertisement Guard (RA-Guard)". It is available at:
This I-D is based on our original I-D
draft-gont-v6ops-ra-guard-evasion-01, but now focuses on providing
advice to RA-Guard implementations, rather than on the evasion
techniques that have been found effective against most popular
implementations of RA-Guard.
Producing effective RA-Guard implementations is important to provide
feature parity with similar mitigation techniques already available and
employed in the IPv4 world.
Any feedback will be greatly appreciated. -- If possible, send your
feedback to: <v6ops at ietf.org> (the relevant IETF mailing-list), and CC'me.
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com
More information about the Ipv6hackers