Hi Tom,
On Fri, 18 Jul 2008, Tom Griffin wrote:
>
> The idea of using ACLs is something I feel wouldn't fix the problem, as it
> doesn't stop users on the same LAN segment from being affected by another
> user's mis-configured machine (since we cannot apply layer 3/4 ACLs to a layer
> 2 port).
>
Just to clarify, the use ACLs was ONLY to protect the cisco interface,
acting as the official default route, from being poisoned. As I explained,
the interface picked up a 6to4 address and a new prefferred false default
route and did NOT revert after the rogue RA went away!
>
> Quoting Jim Jackson <[log in to unmask]>:
>
>> Hi,
>>
>> We'd heard a few IPv6 related horror stories[1] incriminating ICS on IPv6
>> aware Windows XP and Vista, so we've done some testing.
>>
>> The main problem is that of Rogue Router Advertisements (RAs)
>>
>> http://tools.ietf.org/html/draft-chown-v6ops-rogue-ra-01
>>
>> When ICS is enabled (we used a laptop with a wireless and wired interface,
>> setting the wireless as the "internet" connection to share), ICS starts to
>> advertise itself as a default IPv6 router on the wired network, using a
>> 6to4 address and prefix. On our network all the IPv6 hosts stopped using
>> the official default route via our Cisco router, and started routing via
>> the ICS box. Also all IPv6 hosts picked up a new 6to4 IPv6 address.
>>
>> Our Cisco 6500 switch also picked up a 6to4 address on that VLAN interface,
>> and let the ICS default route take precedence, sending ICMPv6 redirects to
>> the ICS box when ever it received a packet to route. It continued doing
>> this after the ICS box was turned off and removed from the network,
>> necessitating manual intervention to restore normal service.
>>
>> Our thinking to protect against such software being "accidently" deployed
>> are
>>
>> - to set the official Router Advertisements as high preference (RFC4191),
>> when we have a version of Cisco IOS that supports this. The ICS RAs
>> appear to have medium preference. Hopefully ipv6 hosts will
>> continue to use the official default route.
>>
>> - setup an ACL on the cisco box to drop incoming RAs from the network,
>> hopefully stopping the cisco routing being polluted.
>>
>> Has anyone any comments or can anyone share any defensive measures they
>> have taken to cope with rogue RAs etc.
>>
>> cheers
>> Jim
>> Network Development Team
>> University of Leeds
>>
>> [1] one such story involved ICS making huge levels of DNS requests,
>> effectively DoS'ing the DNS server. We haven't observed this.
>>
>
|