For many years I just filtered out rogue RA's on my laptop at IETF. I looked at which routers were advertising which prefixes and configured a allow list in the firewall for those that looked correct and denied the rest. Then I removed the bogus addresses, generated as the result of those RA's, from the interface. I also remove the default route when it pointed to a bogus router and performed a router solicitation. Making that into a GUI so the user can point and click should be relatively easy.
Add to that next hop selection where you only send to a router that is advertising a prefix covering the source address you are using and trying from multiple source address, you can mostly eliminate the impact of accidental rogue RA's without needing to filter. If you want to eliminate malicious RA's then you need the network operator to help by using CGA's or similar so you can identify spoofed from non-spoofed RA's. The node can learn which router is using CGA's and automatically filter spoofed ones. By keeping a little more state it can also automatically cleanup the side effects from those spoofed RA's. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
