Re: Vancouver IETF network; bogus IPv6 RAs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Simon Leinen writes:
> Anyway, I finally learned how to configure filters on my Linux
> laptop, and found that the following command (as root) makes my box
> ignore RAs from that particular address:

> ip6tables -A INPUT -s fe80::204:23ff:fe7a:fb3e \
>   --protocol ipv6-icmp --icmpv6-type router-advertisement \
>   -j DROP

A second source of bogus RAs has popped up, so currently I recommend:
----------------------------------------------------------------------
#!/bin/sh
evil_ll="fe80::204:23ff:fe7a:fb3e fe80::20c:f1ff:fe34:45c0"
ip6tables -F INPUT
for ll in ${evil_ll}
do
  ip6tables -A INPUT -s "${ll}" \
    --protocol ipv6-icmp --icmpv6-type router-advertisement \
    -j DROP
done
----------------------------------------------------------------------
An alternative would be to find out the addresses of the "real" IPv6
routers and block RAs from anywhere else.

Of course SEND (SEcure Neighbor Discovery) will solve this, right?
-- 
Simon.


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]