Hi Fernando, I gave you my feedback and some advice during the IETF in Quebec in a 1-2-1 email. My hopes are that you integrate the feedback. The draft RA-Guard is correct and needs no fixing. I agree that my security section in the RA-Guard RFC is a bit light on content. However the main thing is that implementations for RA-Guard use traditional ACLs for achieving the goal and then ofcours these implementations can be bypassed with well known and documented ACL's bypass techniques. You can keep rambling the kettle here, but keep the above in mind if you desire to proceed with this work. G/ -----Original Message----- From: ipv6-wg-bounces@ripe.net [mailto:ipv6-wg-bounces@ripe.net] On Behalf Of Fernando Gont Sent: 05 September 2011 05:54 To: ipv6-wg@ripe.net Subject: [ipv6-wg] More on IPv6 RA-Guard evasion (IPv6 security) Folks, A few months ago I had published a couple of IETF Internet-Drafts to tackle the problem of RA-Guard evasion -- A summary of the problem and pointers to relevant materials is available at: http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard. html The two I-Ds are: * http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-01.txt * http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-01.txt The former one explains the different attack vectors, and proposes operational counter-measures. The latter proposes a longer-term solution. I'm planning to revise these two I-Ds soon, so any comments/feedback/discussion would be really welcome. P.S.: In case you haven't, you may want to join the IPv6 Hackers mailing-list: http://www.si6networks.com/community/mailing-lists.html Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com web: http://www.si6networks.com