1 / 10

IPv6 RA-Guard draft-ietf-v6ops-ra-guard-00.txt

IPv6 RA-Guard draft-ietf-v6ops-ra-guard-00.txt. G. Van de Velde, E. Levy-Abegnoli, C. Popoviciu, J. Mohácsi. 72nd IETF - Dublin, Ireland 27 July - 1 August 2008. Draft objective. Complement SeND where it is not (1) convenient or (2) possible to use SeND to defend against Rogue RA

arlen
Télécharger la présentation

IPv6 RA-Guard draft-ietf-v6ops-ra-guard-00.txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 RA-Guarddraft-ietf-v6ops-ra-guard-00.txt G. Van de Velde, E. Levy-Abegnoli, C. Popoviciu, J. Mohácsi 72nd IETF - Dublin, Ireland 27 July - 1 August 2008 draft-ietf-v6ops-ra-guard-00.txt

  2. Draft objective • Complement SeND where it is not (1) convenient or (2) possible to use SeND to defend against Rogue RA • RA-guard is “no replacement” for SeND but a tool to work together with SeND draft-ietf-v6ops-ra-guard-00.txt

  3. RA-Guard Usage Considerations • RA-traffic must go “through” a RA-Guard networking device - limited applicability in certain wireless networks • Tunneled traffic is not protected • RA-Guard could protect content of an RAmessage draft-ietf-v6ops-ra-guard-00.txt

  4. New WG draft • Updated and (hopefully) clarified from individual draft from last time • Clarification of RA-guard operation modes: Deny (based on criteria), allow (based on criteria), allow from SEND authorised sources • Make more clear what “pre-defined criteria” mean • For the SEND authorised mode introduction of terminology of “router authorization proxy” - or should we call “SEND validating device” - which is the right terminology? • Should we call ra-guard device in general cases? draft-ietf-v6ops-ra-guard-00.txt

  5. Comments and Next steps • Comments so far from WG: • Simplify state machine (from Christian Vogt): device/interface - device level probably not necessary - the authors are working on an update state machine • Define clearly pre-defined criteria (from Christian Vogt) • Describe “router authorisation proxy” operation (from Arnaud Ebalard) • Describe behaviour in case of multiple devices sending accepted RA messages (from Arnaud Ebalard) • Next • Address further comments from WG • Fixing typos (Thanks to Arnaud Ebalard) draft-ietf-v6ops-ra-guard-00.txt

  6. draft-ietf-v6ops-ra-guard-00.txt THANK YOU! draft-ietf-v6ops-ra-guard-00.txt

  7. Backup slides From IETF71 draft-ietf-v6ops-ra-guard-00.txt

  8. SEND deployment model C0 trusted anchor certificate with pfx_list=P0 Certificate Authority CA0 CRL (revocation list) Subordinate Certificate Authority CA1 CR certificate with pfx_list=PR host router RA (pfx_list=PR) CPA (CR) draft-ietf-v6ops-ra-guard-00.txt

  9. Proposed Deployment model C0 certificate with pfx_list=P0 CA0 CRL CA1 CR certificate with pfx_list=PR host router RA (pfx_list=PR) CPA (CR) draft-ietf-v6ops-ra-guard-00.txt

  10. RA-Guard complementing SeND • RA-guard "SeND-validating" RA on behalf of hosts would potentially simplify some of the current deployment challenges: • It may take time until SeND is ubiquitous (i.e. issues concerning provisioning hosts with trust anchors or SP access-networks with non-managed CPE) • It is also reasonable to expect that some devices might not consider implementing SeND (i.e. IPv6 enabled sensors) • RA-guard intends to provide simple solutions to the rogue-RA problem: • Through a simple solution by filtering/snooping potential Rogue-RA • In others, leverage SeND between capable devices (L2 and routers) to provide protection to devices that do not consistently use SeND draft-ietf-v6ops-ra-guard-00.txt

More Related