On 2008-10-17 05:18, David W. Hankins wrote:
> On Tue, Oct 14, 2008 at 03:10:06PM +0800, Kadirvel Chockalingam Vanniarajan
> wrote:
>> 1) Is there a way for a IPv6 client to distinguish between a authoritative
>> RA vs non-authoritative RA? I guess not but I may be wrong. I refer to an
>> unauthorized host sending out RA to be non-authoritative RA.
>
> There isn't. In DHCPv4 operations, most operators implement link
> layer filters, where the potential for nefarious peers on the switch
> fabric is possible. Server-replies come only from servers with these
> filters.
>
> A similar method is required with RA, and currently with DHCP (but
> some of us think we know how we can put an end to that). There is a
> subtle difference; DHCP filters are just UDP port limitations. RA
> filters have to peer into ND packet fields.
Have you reviewed draft-chown-v6ops-rogue-ra-01? Does it state
the issues correctly? (Please reply to v6ops, not here.)
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
