ietf
[Top] [All Lists]

Re: Vancouver IETF network; bogus IPv6 RAs

2005-11-09 16:34:39
Simon Leinen writes:
Anyway, I finally learned how to configure filters on my Linux
laptop, and found that the following command (as root) makes my box
ignore RAs from that particular address:

ip6tables -A INPUT -s fe80::204:23ff:fe7a:fb3e \
  --protocol ipv6-icmp --icmpv6-type router-advertisement \
  -j DROP

A second source of bogus RAs has popped up, so currently I recommend:
----------------------------------------------------------------------
#!/bin/sh
evil_ll="fe80::204:23ff:fe7a:fb3e fe80::20c:f1ff:fe34:45c0"
ip6tables -F INPUT
for ll in ${evil_ll}
do
  ip6tables -A INPUT -s "${ll}" \
    --protocol ipv6-icmp --icmpv6-type router-advertisement \
    -j DROP
done
----------------------------------------------------------------------
An alternative would be to find out the addresses of the "real" IPv6
routers and block RAs from anywhere else.

Of course SEND (SEcure Neighbor Discovery) will solve this, right?
-- 
Simon.


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>