[j-nsp] Blocking router advertisemet (RA) (was: Re: juniper-nsp Digest, Vol 101, Issue 46)

David B Funk dbfunk at engineering.uiowa.edu
Thu Apr 28 16:38:26 EDT 2011 

> Message: 1
> Date: Wed, 27 Apr 2011 22:21:31 +0200
> From: martin papik <papik at utia.cas.cz>
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] juniper-nsp Digest, Vol 101, Issue 46
> Message-ID: <4DB87ACB.7010809 at utia.cas.cz>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Hi,
> can I block (drop) router advertisemet (RA) only on specific ports in
> EX2400 (EX2200) configuration.
> The problem is in security, because when any station (PC, notebook)
> connected to LAN, starts own (but not official!!!) RA, I thing that this  unoffical RA
> will pass throught switch. RA is using icmpv6 port 134. For example some PCs with
> Windows OS should generate own unoffical RA.Maybe I can use firewall filter, but this
> will generate CPU higher load :-(. Is possible to use another specific conf. command?
> Did anyone solve this type of problem in past?
> Thanks
> Martin Papik

Martin,
If you've got workstations sending RAs then you've probably got bigger 
problems than just rogue RAs. They're probably doing automatic v6-to-v4 
tunneling (eiter 6-to-4 or teredo), so you've got uncontrolled v6
traffic on your net. Given the exhaustion of v4 addrs, v6 is only going
to increase in use.

You need to either do a proper v6 deployment or take strong steps to
quash it, the half-baked environment only leads to misery.
In general, if workstations hear "official" RAs then they tend to
become just clients and don't try to do 6-to-4 tunnels (or configure
each workstation to completely disable its v6 stack).

Find a good source of IPv6 information and learn about the things that you 
need to know, both as a network engineer & system-administrator.

Good place to start:
http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf


-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

More information about the juniper-nsp mailing list