×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Rogue RA on 7600

Unanswered Question
Apr 15th, 2012
User Badges:

Hi All,



can anyone pls share any best practise / recommended way of tackling the Rogue RA issue on a 7600 platform.


Im aware that:

- PACLs can be used, even if not very flexible

- Cisco provides RA Guard, but not sure if this is available in 7600 IOS ?



looking forward to some feedback since i cant seem to find a good way to sort this out for production deployment



thanks


Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark Pace Balzan Tue, 04/24/2012 - 04:35
User Badges:

Hi,


would like to ask the question in a different way since i got no feedback:


If the machines connected to my 7600 all have a static IPv6 address configured, and either have a static default route, or learn default via iBGP or OSPFv3, is rogue RA still a problem in such a case,  or is it only an issue when using SLAAC ?



thanks


Mark

fbovy Wed, 04/25/2012 - 16:26
User Badges:

Mark,


Rogue RA (RFC6104) is only a problem with SLAAC and when you accept RA.


On Linux you can disable Reception of RA and you can also disable SLAAC and only work with static.

So Rogue RA is no more a problem.

You can find all the command and more details from this presentation:

Autoconfiguration from SLAAC to Wireless Sensors Networks

or the Video:

Autoconfiguration from SLAAC to Wireless Sensors Networks


You can also use tools to analyze the RA tha you receive with tools like RAmond:

http://ramond.sourceforge.net/


About Rogue RA (RFC6104) you may also be interested by SeND and RA Guard, both available on CISCO.

I did the dev-test of SeND for CISCO and wrote the scripts to test the feature.

It is excellent but only implemented on CISCO and Linux.

You may also be interested by RA Guard but you should be aware of RA Guard Evasion and parade:

http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-00.txt


It seems that RA Guard is not 100% Efficient.

If the RA is in a Fragmented packet or if the RA has some Extention Header, the switch is not able to recognize it!

The question is why should we have fragmented RA or Extension Headers in a RA?

I don't see any need for that but it is supposed to be supported by RFC and then permitted.

Now you can filter it, I will not tell and your RA Guard will work again!




Normally most ND packet MUST have the Hop Limi set to 255 to be valid which is a good protection as it is impossible to send a ND packet from a remote network and I thought that Rogue RA was not as dangerous because of this.


But I just notices on an old capture of a RA I took from my ISP that their RA have a Hop Limit of 64 !


This RA is fully analyzed in my latest IPv6 Tutorial Release on PAge 15 if you click on the RA Capture:

http://www.fredbovy.com/Tutorial/IPv6Tutorial-RELEASE2.html



Kind Regards,


Fred Bovy

15 years ccie #3013

18 years ccsi #33517 (former #95003)

IPv6 Forum Gold Certified Engineer

IPv6 Forum Gold Certified Trainer

Member of G6 Association

Email: [email protected]

Web: http://www.fredbovy.com

Wicki: http://www.fredbovy.com/MediaWiki

Twitter: http://twitter.com/#!/Fr

Actions

This Discussion

Related Content