IPv 6 RA-Guard draft-ietf-v 6 ops-ra-guard-00 txt G

IPv 6 RA-Guard draft-ietf-v 6 ops-ra-guard-00. txt G. Van de Velde, E. Levy. Abegnoli, C. Popoviciu, J. Mohácsi 72 nd IETF - Dublin, Ireland 27 July - 1 August 2008 draft-ietf-v 6 ops-ra-guard-00. txt 1

Draft objective l l Complement Se. ND where it is not (1) convenient or (2) possible to use Se. ND to defend against Rogue RA RA-guard is “no replacement” for Se. ND but a tool to work together with Se. ND draft-ietf-v 6 ops-ra-guard-00. txt 2

RA-Guard Usage Considerations l l l RA-traffic must go “through” a RA-Guard networking device - limited applicability in certain wireless networks Tunneled traffic is not protected RA-Guard could protect content of an RA message draft-ietf-v 6 ops-ra-guard-00. txt 3

New WG draft l Updated and (hopefully) clarified from individual draft from last time l l Clarification of RA-guard operation modes: Deny (based on criteria), allow from SEND authorised sources Make more clear what “pre-defined criteria” mean For the SEND authorised mode introduction of terminology of “router authorization proxy” - or should we call “SEND validating device” - which is the right terminology? Should we call ra-guard device in general cases? draft-ietf-v 6 ops-ra-guard-00. txt 4

Comments and Next steps l Comments so far from WG: l l l Simplify state machine (from Christian Vogt): device/interface - device level probably not necessary - the authors are working on an update state machine Define clearly pre-defined criteria (from Christian Vogt) Describe “router authorisation proxy” operation (from Arnaud Ebalard) Describe behaviour in case of multiple devices sending accepted RA messages (from Arnaud Ebalard) Next l l Address further comments from WG Fixing typos (Thanks to Arnaud Ebalard) draft-ietf-v 6 ops-ra-guard-00. txt 5

draft-ietf-v 6 ops-ra-guard-00. txt THANK YOU! draft-ietf-v 6 ops-ra-guard-00. txt 6

Backup slides From IETF 71 draft-ietf-v 6 ops-ra-guard-00. txt 7

SEND deployment model C 0 trusted anchor certificate with pfx_list=P 0 Certificate Authority CA 0 CRL (revocation list) Subordinate Certificate Authority CA 1 CR certificate with pfx_list=PR host router RA (pfx_list=PR) CPA (CR) draft-ietf-v 6 ops-ra-guard-00. txt 8

Proposed Deployment model C 0 certificate with pfx_list=P 0 CA 0 CRL CA 1 CR certificate with pfx_list=PR host router RA (pfx_list=PR) CPA (CR) draft-ietf-v 6 ops-ra-guard-00. txt 9

RA-Guard complementing Se. ND l l RA-guard "Se. ND-validating" RA on behalf of hosts would potentially simplify some of the current deployment challenges: l It may take time until Se. ND is ubiquitous (i. e. issues concerning provisioning hosts with trust anchors or SP access-networks with non-managed CPE) l It is also reasonable to expect that some devices might not consider implementing Se. ND (i. e. IPv 6 enabled sensors) RA-guard intends to provide simple solutions to the rogue-RA problem: l Through a simple solution by filtering/snooping potential Rogue. RA l In others, leverage Se. ND between capable devices (L 2 and routers) to provide protection to devices that do not consistently use Se. ND draft-ietf-v 6 ops-ra-guard-00. txt 10