cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3031
Views
0
Helpful
2
Replies

Rogue RA on 7600

Hi All,

can anyone pls share any best practise / recommended way of tackling the Rogue RA issue on a 7600 platform.

Im aware that:

- PACLs can be used, even if not very flexible

- Cisco provides RA Guard, but not sure if this is available in 7600 IOS ?

looking forward to some feedback since i cant seem to find a good way to sort this out for production deployment

thanks

Mark

2 Replies 2

Hi,

would like to ask the question in a different way since i got no feedback:

If the machines connected to my 7600 all have a static IPv6 address configured, and either have a static default route, or learn default via iBGP or OSPFv3, is rogue RA still a problem in such a case,  or is it only an issue when using SLAAC ?

thanks

Mark

Mark,

Rogue RA (RFC6104) is only a problem with SLAAC and when you accept RA.

On Linux you can disable Reception of RA and you can also disable SLAAC and only work with static.

So Rogue RA is no more a problem.

You can find all the command and more details from this presentation:

Autoconfiguration from SLAAC to Wireless Sensors Networks

or the Video:

Autoconfiguration from SLAAC to Wireless Sensors Networks

You can also use tools to analyze the RA tha you receive with tools like RAmond:

http://ramond.sourceforge.net/

About Rogue RA (RFC6104) you may also be interested by SeND and RA Guard, both available on CISCO.

I did the dev-test of SeND for CISCO and wrote the scripts to test the feature.

It is excellent but only implemented on CISCO and Linux.

You may also be interested by RA Guard but you should be aware of RA Guard Evasion and parade:

http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-00.txt

It seems that RA Guard is not 100% Efficient.

If the RA is in a Fragmented packet or if the RA has some Extention Header, the switch is not able to recognize it!

The question is why should we have fragmented RA or Extension Headers in a RA?

I don't see any need for that but it is supposed to be supported by RFC and then permitted.

Now you can filter it, I will not tell and your RA Guard will work again!

Normally most ND packet MUST have the Hop Limi set to 255 to be valid which is a good protection as it is impossible to send a ND packet from a remote network and I thought that Rogue RA was not as dangerous because of this.

But I just notices on an old capture of a RA I took from my ISP that their RA have a Hop Limit of 64 !


This RA is fully analyzed in my latest IPv6 Tutorial Release on PAge 15 if you click on the RA Capture:

http://www.fredbovy.com/Tutorial/IPv6Tutorial-RELEASE2.html

Kind Regards,

Fred Bovy

15 years ccie #3013

18 years ccsi #33517 (former #95003)

IPv6 Forum Gold Certified Engineer

IPv6 Forum Gold Certified Trainer

Member of G6 Association

Email: fred@fredbovy.com

Web: http://www.fredbovy.com

Wicki: http://www.fredbovy.com/MediaWiki

Twitter: http://twitter.com/#!/Fr

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco