Draft-ietf-v6ops-ra-guard-00.txt1 IPv6 RA-Guard draft-ietf-v6ops-ra-guard-00.txt G. Van de Velde, E. Levy- Abegnoli, C. Popoviciu, J. Mohácsi 72nd IETF.

Slides:

Advertisements

Similar presentations

Router Identification Problem Statement J.W. Atwood 2008/03/11

Advertisements

Tuning the Behavior of IGMP and MLD for Routers in Mobile and Wireless Networks draftietfmultimobigmpmldtuning-01 Hitoshi Asaeda Hui Liu Qin Wu 81 st IETF,

IP over ETH over IEEE draft-riegel-16ng-ip-over-eth-over Max Riegel

Draft-vandevelde-v6ops-harmful-tunnels-01.txt 1 Are they the future of the Internet? Non-Managed Tunnels Considered Harmful Gunter Van de Velde, Ole Troan,

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.

Draft-vandevelde-v6ops-ra-guard-01.txt1 IPv6 RA-Guard G. Van de Velde, E. Levy- Abegnoli, C. Popoviciu, J. Mohacsi IETF 71, March 11/14th 2008 Philadelphia.

Requirements for MEF E-Tree Support in VPLS draft-key-l2vpn-vpls-etree-reqt-00 Presenter: Frederic Jounay IETF78, July 2010 Authors: Raymond Key Simon.

IPv6 Site Renumbering Gap Analysis draft-ietf-6renum-gap-analysis-02 draft-ietf-6renum-gap-analysis-02 Bing Liu (speaker), Sheng Jiang, Brian.E.Carpenter,

Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.

1 464XLAT Combination of Stateful and Stateless Translation draft-ietf-v6ops-464xlat-01 IETF 83 v6ops WG Japan Internet Exchange Co.,Ltd.

IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.

Chapter 6: Packet Filtering

Submission doc.: IEEE /1015r1 September 2015 Guido R. Hiertz et al., EricssonSlide 1 Proxy ARP in ax Date: Authors:

Quality of Service Option for Proxy Mobile IPv6 draft-ietf-netext-pmip6-qos-00.txt S. Gundavelli, J. Korhonen, M. Liebsch, P. Seite, H. Yokota IETF84,

NEMO Requirements and Mailing List Discussions/Conclusions T.J. Kniveton - Nokia Pascal Thubert - Cisco IETF 54 – July 14, 2002 Yokohama, Japan.

IEEE SCC41 PARs Dr. Rashid A. Saeed. 2 SCC41 Standards Project Acceptance Criteria 1. Broad market application  Each SCC41 (P1900 series) standard shall.

1 UDP Encapsulation of 6RD IETF 78 Maastricht 2010 July 30.

1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.

IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.

RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.

Draft-vandevelde-v6ops-addcon-00.txt IPv6 Unicast Address Assignment Considerations Gunter Van de Velde (editor) Tim Chown Ciprian Popoviciu IETF 65, March.

Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

Draft-ietf-v6ops-addcon-02.txt IPv6 Unicast Address Assignment Considerations Olaf Bonness, Tim Chown, Christian Hahn, Ciprian Popoviciu, Gunter Van de.

IPv6 Host to Router Load Sharing December 2001 Salt Lake City IETF Bob Hinden / Nokia.

Node Information Queries July 2002 Yokohama IETF Bob Hinden / Nokia.

Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91

Network Architecture Protection (draft-vandevelde-v6ops-nap-01.txt) Brian Carpenter, Ralph Droms, Tony Hain, Eric L Klein, Gunter Van de Velde.

SIP working group IETF#70 Essential corrections Keith Drage.

81th IETF, QuebecMTMA Multicast Tree Mobility Anchor (MTMA) Juan Carlos Zúñiga, Akbar Rahman InterDigital Luis M. Contreras, Carlos J. Bernardos Universidad.

62 nd IETF – CAPWAP Working Group1 CAPWAP Objectives Saravanan Govindan March 2005.

IETF-90 (Toronto) DHC WG Meeting Wednesday, July 23, GMT IETF-90 DHC WG1 Last Updated: 07/21/ :10 EDT.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.

Public 4over6: WGLC feedback Peng Wu IETF84. Feedback from WGLC Relationship with stateless 4-over-6 solutions? Different primary targets and application.

NATFW NSLP Status draft-ietf-nsis-nslp-natfw-12.txt M. Stiemerling, H. Tschofenig, C. Aoun, and E. Davies NSIS Working Group,

Balanced Security for IPv6 CPE draft-ietf-v6ops-balanced-ipv6-security-01 IETF89 London M. Gysi, G. Leclanche, E. Vyncke, R. Anfinsen.

Role Of Network IDS in Network Perimeter Defense.

SIP Events: Changes and Open Issues IETF 50 / SIP Working Group Adam Roach

Behcet Sarikaya Frank Xia July 2009 Dual-stack Lite Mobility Solutions IETF-75

1/13 draft-carpenter-nvo3-addressing-00 Brian Carpenter Sheng Jiang IETF 84 Jul/Aug 2012 Layer 3 Addressing Considerations for Network Virtualization Overlays.

IETF-53-IPv6 WG- Cellular host draft 1 Minimum IPv6 Functionality for a Cellular Host Jari Arkko Peter Hedman Gerben Kuijpers Hesham Soliman John Loughney.

1 IETF-70 draft-akhter-bmwg-mpls-meth MPLS Benchmarking Methodology draft-akhter-bmwg-mpls-meth-03 IETF 70 Aamer Akhter / Rajiv Asati /

Draft-chown-v6ops-vlan-usage-01 Tim Chown v6ops WG, IETF 60, San Diego, August 2, 2004.

Trust Anchor Update Requirements for DNSSEC Russ Mundy for the editors Steve Crocker, Howard Eland, Russ Mundy.

82 nd Taipei Protection Mechanisms for LDP P2MP/MP2MP LSP draft-zhao-mpls-mldp-protections-00.txt Quintin Zhao, Emily Chen, Huawei.

Draft-ietf-v6ops-addcon-01.txt IPv6 Unicast Address Assignment Considerations Gunter Van de Velde (editor), Tim Chown, Ciprian Popoviciu, Olaf Bonness,

BGP Encapsulation SAFI and BGP Tunnel Encapsulation Attribute draft-pmohapat-idr-info-safi-02.txt Pradosh Mohapatra and Eric Rosen Cisco Systems IETF-69,

IETF88 Vancouver Immediate options for Multrans avoiding NAT ?

Security Implications of IPv6 on IPv4 Networks

draft-nitish-vrrp-bfd-02

Discussion on DHCPv6 Routing Configuration

Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00

User-group-based Security Policy for Service Layer

GRE-in-UDP Encapsulation

A Reference Model for Autonomic Networking draft-ietf-anima-reference-model-03.txt 97th IETF, Nov 2016 Michael Behringer (editor), Brian Carpenter, Toerless.

Gunter Van de Velde Kiran Kumar Chitimaneni Warren Kumari

TURN-Lite: A Lightweight TURN Architecture and Specification (draft-wang-tram-turnlite-03) Aijun Wang (China Telecom) Bing Liu (Speaker) (Huawei) IETF.

<draft-lefaucheur-rsvp-ipsec-01

IETF67 B. Patil, Gopal D., S. Gundavelli, K. Chowdhury

ND-Shield: Protecting against Neighbor Discovery Attacks

CARD Designteam A. Singh, D. Funato, H. Chaskar, M. Liebsch

Considerations for MPTCP Operation in 5G

Carles Gomez, S. M. Darroudi

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)

PW Control Word Stitching

Update on BRSKI-AE – Support for asynchronous enrollment

Presentation transcript:

draft-ietf-v6ops-ra-guard-00.txt1 IPv6 RA-Guard draft-ietf-v6ops-ra-guard-00.txt G. Van de Velde, E. Levy- Abegnoli, C. Popoviciu, J. Mohácsi 72nd IETF - Dublin, Ireland 27 July - 1 August 2008

draft-ietf-v6ops-ra-guard-00.txt2 Draft objective Complement SeND where it is not (1) convenient or (2) possible to use SeND to defend against Rogue RA RA-guard is “no replacement” for SeND but a tool to work together with SeND

draft-ietf-v6ops-ra-guard-00.txt3 RA-Guard Usage Considerations RA-traffic must go “through” a RA-Guard networking device - limited applicability in certain wireless networks Tunneled traffic is not protected RA-Guard could protect content of an RAmessage

draft-ietf-v6ops-ra-guard-00.txt4 New WG draft Updated and (hopefully) clarified from individual draft from last time Clarification of RA-guard operation modes: Deny (based on criteria), allow (based on criteria), allow from SEND authorised sources Make more clear what “pre-defined criteria” mean For the SEND authorised mode introduction of terminology of “router authorization proxy” - or should we call “SEND validating device” - which is the right terminology? Should we call ra-guard device in general cases?

draft-ietf-v6ops-ra-guard-00.txt5 Comments and Next steps Comments so far from WG: Simplify state machine (from Christian Vogt): device/interface - device level probably not necessary - the authors are working on an update state machine Define clearly pre-defined criteria (from Christian Vogt) Describe “router authorisation proxy” operation (from Arnaud Ebalard) Describe behaviour in case of multiple devices sending accepted RA messages (from Arnaud Ebalard) Next Address further comments from WG Fixing typos (Thanks to Arnaud Ebalard)

draft-ietf-v6ops-ra-guard-00.txt6 THANK YOU!

draft-ietf-v6ops-ra-guard-00.txt7 Backup slides From IETF71

draft-ietf-v6ops-ra-guard-00.txt8 SEND deployment model router Certificate Authority CA 0 host C 0 trusted anchor certificate with pfx_list=P 0 C R certificate with pfx_list=P R CRL (revocation list) CPA (C R ) RA ( pfx_list=P R ) Subordinate Certificate Authority CA 1

draft-ietf-v6ops-ra-guard-00.txt9 Proposed Deployment model router CA 0 host C 0 certificate with pfx_list=P 0 C R certificate with pfx_list=P R CRL CPA (C R ) RA ( pfx_list=P R ) CA 1

draft-ietf-v6ops-ra-guard-00.txt10 RA-Guard complementing SeND RA-guard "SeND-validating" RA on behalf of hosts would potentially simplify some of the current deployment challenges: It may take time until SeND is ubiquitous (i.e. issues concerning provisioning hosts with trust anchors or SP access-networks with non-managed CPE) It is also reasonable to expect that some devices might not consider implementing SeND (i.e. IPv6 enabled sensors) RA-guard intends to provide simple solutions to the rogue-RA problem: Through a simple solution by filtering/snooping potential Rogue- RA In others, leverage SeND between capable devices (L2 and routers) to provide protection to devices that do not consistently use SeND