04-15-2012 04:22 AM - edited 03-01-2019 05:34 PM
Hi All,
can anyone pls share any best practise / recommended way of tackling the Rogue RA issue on a 7600 platform.
Im aware that:
- PACLs can be used, even if not very flexible
- Cisco provides RA Guard, but not sure if this is available in 7600 IOS ?
looking forward to some feedback since i cant seem to find a good way to sort this out for production deployment
thanks
Mark
04-24-2012 04:35 AM
Hi,
would like to ask the question in a different way since i got no feedback:
If the machines connected to my 7600 all have a static IPv6 address configured, and either have a static default route, or learn default via iBGP or OSPFv3, is rogue RA still a problem in such a case, or is it only an issue when using SLAAC ?
thanks
Mark
04-25-2012 04:26 PM
Mark,
Rogue RA (RFC6104) is only a problem with SLAAC and when you accept RA.
On Linux you can disable Reception of RA and you can also disable SLAAC and only work with static.
So Rogue RA is no more a problem.
You can find all the command and more details from this presentation:
Autoconfiguration from SLAAC to Wireless Sensors Networks
or the Video:
Autoconfiguration from SLAAC to Wireless Sensors Networks
You can also use tools to analyze the RA tha you receive with tools like RAmond:
http://ramond.sourceforge.net/
About Rogue RA (RFC6104) you may also be interested by SeND and RA Guard, both available on CISCO.
I did the dev-test of SeND for CISCO and wrote the scripts to test the feature.
It is excellent but only implemented on CISCO and Linux.
You may also be interested by RA Guard but you should be aware of RA Guard Evasion and parade:
http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-00.txt
It seems that RA Guard is not 100% Efficient.
If the RA is in a Fragmented packet or if the RA has some Extention Header, the switch is not able to recognize it!
The question is why should we have fragmented RA or Extension Headers in a RA?
I don't see any need for that but it is supposed to be supported by RFC and then permitted.
Now you can filter it, I will not tell and your RA Guard will work again!
Normally most ND packet MUST have the Hop Limi set to 255 to be valid which is a good protection as it is impossible to send a ND packet from a remote network and I thought that Rogue RA was not as dangerous because of this.
But I just notices on an old capture of a RA I took from my ISP that their RA have a Hop Limit of 64 !
This RA is fully analyzed in my latest IPv6 Tutorial Release on PAge 15 if you click on the RA Capture:
http://www.fredbovy.com/Tutorial/IPv6Tutorial-RELEASE2.html
Kind Regards,
Fred Bovy
15 years ccie #3013
18 years ccsi #33517 (former #95003)
IPv6 Forum Gold Certified Engineer
IPv6 Forum Gold Certified Trainer
Member of G6 Association
Email: fred@fredbovy.com
Wicki: http://www.fredbovy.com/MediaWiki
Twitter: http://twitter.com/#!/Fr
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide