Hi, On Thu, Oct 07, 2010 at 11:11:17AM +0200, João Damas wrote:
Enterprise switch: - RA-guard: your enemy is not -unsolicited- RA, your enemy is -unauthorized- RA. As in, the laptop your sales guy brought in announcing itself as the gateway to the world, even if RA was solicited.
AFAIK RA-guard prevents RA packets being sent from ports, that are "declared" as "hosts" ports and connected hosts not authorized to send RA as such.
how is a host-based mechanism based on prevention of outgoing packets ever going to work? I mean, it can prevent accidents (perhaps, it is not a guarantee, look at usual list of ad-hoc Wifi SSIDs at any event) but it sure won't prevent intentional unauthorised RAs.
RA-guard is not host-based but switch-based. You configure the switch "*this* is the port where the router lives" and RAs on all other ports are filtered. See draft-ietf-v6ops-ra-guard-*.txt Gert Doering -- did you enable IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279