Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: IPv6 Deployment for the LAN

  • From: TJ
  • Date: Sun Oct 18 07:54:22 2009 
"This is a real problem even for people who are not using IPv6 right now and
have no desire to use IPv6 yet, because Rogue RAs will redirect all IPv6
traffic to a rogue 
box on the LAN"  

Answer = "RA Guard" - push your vendor-of-choice to implement it :).



/TJ
-----Original Message-----
From: Chuck Anderson [mailto:cra@WPI.EDU] 
Sent: Sunday, October 18, 2009 4:52 AM
To: nanog@nanog.org
Subject: Re: IPv6 Deployment for the LAN
<snip>
Unfortunately, no.  Many/most LAN switches don't support filtering 
IPv6 traffic yet.  Of those that do, most only support TCP/UDP ports 
but not ICMPv6 types or RA specifically.  Therefore, right now it is 
probably easier to find support to filter DHCPv6 (udp source port 547) 
than it is to find support to filter RA.  This is a real problem even 
for people who are not using IPv6 right now and have no desire to use 
IPv6 yet, because Rogue RAs will redirect all IPv6 traffic to a rogue 
box on the LAN, breaking access to dual-stack servers on the Internet.  
The impact is worse when you start trying to roll out IPv6 dual-stack 
to selected servers on your own LAN.


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.