Folks, Not sure if I had posted on this list about RA-Guard evasion issues. Anyway...nowadays most implementations remain vulnerable. If you care to get this fixed, please provide feedback about this I-D on the IETF *v6ops* mailing-list <v6ops@ietf.org>, and CC me if possible (please see below). Thanks! Best regards, Fernando -------- Original Message -------- Subject: RA-Guard: Advice on the implementation (feedback requested) Date: Wed, 01 Feb 2012 21:44:29 -0300 From: Fernando Gont <fgont@si6networks.com> Organization: SI6 Networks To: IPv6 Operations <v6ops@ietf.org> Folks, We have just published a revision of our I-D "Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)" <http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-implementation-01.txt>. In essence, this is the problem statement, and what this I-D is about: * RA-Guard is essential to have feature parity with IPv4. * Most (all?) existing RA-Guard implementations can be trivially evaded: if the attacker includes extension headers in his packets, the RA-Guard devices fail to identify the Router Advertisement messages. -- For instance, THC's "IPv6 attack suite" (<http://www.thc.org/thc-ipv6/>) contains tools that can evade RA-Guard as indicated. * The I-D discusses this problem, and provides advice on how to implement RA-Guard, such that the aforementioned vulnerabilities are eliminated, we have an effective RA-Guard device, and hence feature-parity with IPv4. We'd like feedback on this I-D, including high-level comments on whether you support the proposal in this I-D. Thanks! Best regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1