David W. Hankins <David_Hankins@isc.org> wrote:
There are some wireless equipment that claim to have a setting that forces all packets through the wireless bridge (where all traffic is between clients and bridge, and never client to client), and so one can filter DHCPv6 and maybe RA, but I am kind of skeptical about how much of this is elective and dependent upon client implementation...
As already said, wireless in infrastructure mode (with access points) always sends traffic between clients through the access point, so a decent AP can filter this. On the university network we frequently had the problem of rogue RAs (in 99% of the cases generated by Windows hosts running 6to4 and ICS). We are currently migrating from an unencrypted wireless with mandatory VPN towards full IPv4/IPv6 eduroam (WPA2 Enterprise) with about 500 concurrent hosts, spread around four large subnets. Fortunately our access point vendor (Colubris, which very sadly is HP Procurve now) supports pcap-style filters on the wireless side. We've deployed the ingress filter ether proto 0x888e or (ip6 and not (ip6[6] == 58 and ip6[40] == 134)) or (ip and not (udp port 137 or udp port 138 or udp port 139 or udp src port 67)) or arp six months ago and have never had any problems again. Bernhard