mail archive 76attendees.ietf.org
(List home) (Recent threads) (187 other Internet Engineering Task Force (IETF) lists)
Subscription Options
- RSS or Atom: Read-only subscription using a browser or aggregator. This is the recommended way if you don't need to send messages to the list. You can learn more about feed syndication and clients here.
- Conventional: All messages are delivered to your mail address, and you can reply. To subscribe, send an email to the list's subscribe address with "subscribe" in the subject line, or visit the list's homepage here.
- This list contains about 795 messages, beginning Oct 2009
- This list doesn't seem to be active
Report the Spam
This button sends a spam report to the moderator. Please use it sparingly. For other removal requests, read this.
Are you sure? yes no
Rogue IPv6 RA
Ad
Dear IET76 Attendees, This is Yuji Sekiya, IETF NOC. Someone's laptop announces Rogue IPv6 RA on SSID:ietf network. We send fake RAs with routerlifetime=0, so your computer may not be affected, however, the Rogue RAs are still announced. MAC addresses of laptop which announces Rogue RA are 00:1b:77:bc:a4:e6 00:21:6b:3c:8c:e2 Please STOP announcement of Rogue RA !!! -- Yuji Sekiya
Dear IET76 Attendees,is located in CATTLEA-East. > 00:21:6b:3c:8c:e2 is located in CATTLEA-East.On Mon, Nov 09, 2009 at 01:43:54PM +0900, Yuji Sekiya wrote: > > Dear IET76 Attendees, > This is Yuji Sekiya, IETF NOC. > > Someone's laptop announces Rogue IPv6 RA on > SSID:ietf network. > > We send fake RAs with routerlifetime=0, so your computer > may not be affected, however, the Rogue RAs are still announced. > > MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6
As seen from Acacia West the broken machine is: bogus RA's from Dell_cd:e2:4d (00:11:43:cd:e2:4d) Prefix 2002:855d:13c9:9:: Prefix fec0:0:0:9::> -----Original Message----- > From: [mailto:76attendees- > ] On Behalf Of Masafumi OE > Sent: Monday, November 09, 2009 1:53 PM > To: Yuji Sekiya > Cc: > Subject: Re: [76attendees] Rogue IPv6 RA > > > Dear IET76 Attendees, > > On Mon, Nov 09, 2009 at 01:43:54PM +0900, > Yuji Sekiya wrote: > > > > > Dear IET76 Attendees, > > This is Yuji Sekiya, IETF NOC. > > > > Someone's laptop announces Rogue IPv6 RA on > > SSID:ietf network. > > > > We send fake RAs with routerlifetime=0, so your computer > > may not be affected, however, the Rogue RAs are still announced. > > > > MAC addresses of laptop which announces Rogue RA are > > > > 00:1b:77:bc:a4:e6 > is located in CATTLEA-East. > > > 00:21:6b:3c:8c:e2 > is located in CATTLEA-East. > > > Please STOP announcement of Rogue RA !!! > > > > > -- > Masafumi OE, Astronomy Data Center, NAOJ. > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
Interesting to see ULA on WiFi indeed ;-)On 9/11/09 13:56, "Tony Hain" wrote: > As seen from Acacia West the broken machine is: > > bogus RA's from Dell_cd:e2:4d (00:11:43:cd:e2:4d) > > Prefix 2002:855d:13c9:9:: > Prefix fec0:0:0:9:: > > > >> -----Original Message----- >> From: [mailto:76attendees- >> ] On Behalf Of Masafumi OE >> Sent: Monday, November 09, 2009 1:53 PM >> To: Yuji Sekiya >> Cc: >> Subject: Re: [76attendees] Rogue IPv6 RA >> >> >> Dear IET76 Attendees, >> >> On Mon, Nov 09, 2009 at 01:43:54PM +0900, >> Yuji Sekiya wrote: >> >>> >>> Dear IET76 Attendees, >>> This is Yuji Sekiya, IETF NOC. >>> >>> Someone's laptop announces Rogue IPv6 RA on >>> SSID:ietf network. >>> >>> We send fake RAs with routerlifetime=0, so your computer >>> may not be affected, however, the Rogue RAs are still announced. >>> >>> MAC addresses of laptop which announces Rogue RA are >>> >>> 00:1b:77:bc:a4:e6 >> is located in CATTLEA-East. >> >>> 00:21:6b:3c:8c:e2 >> is located in CATTLEA-East. >> >>> Please STOP announcement of Rogue RA !!! >>> >> >> >> -- >> Masafumi OE, Astronomy Data Center, NAOJ. >> _______________________________________________ >> 76attendees mailing list >> >> https://www.ietf.org/mailman/listinfo/76atten... > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
That is not ula, it is site-local. Both of those prefixes are in the same RA> -----Original Message----- > From: evyncke [mailto:] > Sent: Monday, November 09, 2009 2:01 PM > To: ; 'Masafumi OE'; 'Yuji Sekiya' > Cc: > Subject: Re: [76attendees] Rogue IPv6 RA > > Interesting to see ULA on WiFi indeed ;-) > > > On 9/11/09 13:56, "Tony Hain" wrote: > > > As seen from Acacia West the broken machine is: > > > > bogus RA's from Dell_cd:e2:4d (00:11:43:cd:e2:4d) > > > > Prefix 2002:855d:13c9:9:: > > Prefix fec0:0:0:9:: > > > > > > > >> -----Original Message----- > >> From: [mailto:76attendees- > >> ] On Behalf Of Masafumi OE > >> Sent: Monday, November 09, 2009 1:53 PM > >> To: Yuji Sekiya > >> Cc: > >> Subject: Re: [76attendees] Rogue IPv6 RA > >> > >> > >> Dear IET76 Attendees, > >> > >> On Mon, Nov 09, 2009 at 01:43:54PM +0900, > >> Yuji Sekiya wrote: > >> > >>> > >>> Dear IET76 Attendees, > >>> This is Yuji Sekiya, IETF NOC. > >>> > >>> Someone's laptop announces Rogue IPv6 RA on > >>> SSID:ietf network. > >>> > >>> We send fake RAs with routerlifetime=0, so your computer > >>> may not be affected, however, the Rogue RAs are still announced. > >>> > >>> MAC addresses of laptop which announces Rogue RA are > >>> > >>> 00:1b:77:bc:a4:e6 > >> is located in CATTLEA-East. > >> > >>> 00:21:6b:3c:8c:e2 > >> is located in CATTLEA-East. > >> > >>> Please STOP announcement of Rogue RA !!! > >>> > >> > >> > >> -- > >> Masafumi OE, Astronomy Data Center, NAOJ. > >> _______________________________________________ > >> 76attendees mailing list > >> > >> https://www.ietf.org/mailman/listinfo/76atten... > > > > _______________________________________________ > > 76attendees mailing list > > > > https://www.ietf.org/mailman/listinfo/76atten...
As I've just gone through this with someone that was sending RAs earlier, it seems as though if you've enabled internet connection sharing on Windows XP in the past, it may still be sending RAs even if ICS is disabled. From a command prompt: netsh interface ipv6 show interface level=verbose Look through the output for "Sends Router Advertisements : Yes", and for those interfaces do: set interface "Wireless Network Connection" advertise=disabled Replace "Wireless Network Connection" with the name of the relevant interface. I doubt this is persistent. Rob
Using netsh you typically have the option to add: store=persistent (persistent across reboots) or store=active (valid only until you reboot) Other tips when you configured 6to4 in your laptop and want to "undo" it, available for several operating systems at: http://www.ipv6tf.org/index.php?page=using/co... Regards, Jordi> De: Rob Evans > Responder a: > Fecha: Mon, 09 Nov 2009 05:01:49 +0000 > Para: > Asunto: Re: [76attendees] Rogue IPv6 RA > >> MAC addresses of laptop which announces Rogue RA are >> >> 00:1b:77:bc:a4:e6 >> 00:21:6b:3c:8c:e2 >> >> Please STOP announcement of Rogue RA !!! > > As I've just gone through this with someone that was sending RAs > earlier, it seems as though if you've enabled internet connection > sharing on Windows XP in the past, it may still be sending RAs even if > ICS is disabled. > > From a command prompt: > netsh > interface ipv6 > show interface level=verbose > > Look through the output for "Sends Router Advertisements : Yes", and for > those interfaces do: > > set interface "Wireless Network Connection" advertise=disabled > > Replace "Wireless Network Connection" with the name of the relevant > interface. > > I doubt this is persistent. > > Rob > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
At Mon, 09 Nov 2009 13:43:54 +0900, Yuji Sekiya wrote: Nowcomer... 00:16:cb:b5:c8:fe on SSID:ietf network. -- Yuji Sekiya> Dear IET76 Attendees, > This is Yuji Sekiya, IETF NOC. > > Someone's laptop announces Rogue IPv6 RA on > SSID:ietf network. > > We send fake RAs with routerlifetime=0, so your computer > may not be affected, however, the Rogue RAs are still announced. > > MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6 > 00:21:6b:3c:8c:e2 > > Please STOP announcement of Rogue RA !!! > > -- Yuji Sekiya > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten... >
The client location is front-right side in ORCHID EAST. -- Masafumi OEOn Mon, Nov 09, 2009 at 07:20:27PM +0900, Yuji Sekiya wrote: > At Mon, 09 Nov 2009 13:43:54 +0900, > Yuji Sekiya wrote: > > Nowcomer... > > 00:16:cb:b5:c8:fe > > on SSID:ietf network. > > -- Yuji Sekiya > > > > > Dear IET76 Attendees, > > This is Yuji Sekiya, IETF NOC. > > > > Someone's laptop announces Rogue IPv6 RA on > > SSID:ietf network. > > > > We send fake RAs with routerlifetime=0, so your computer > > may not be affected, however, the Rogue RAs are still announced. > > > > MAC addresses of laptop which announces Rogue RA are > > > > 00:1b:77:bc:a4:e6 > > 00:21:6b:3c:8c:e2 > > > > Please STOP announcement of Rogue RA !!! > > > > -- Yuji Sekiya > > > > _______________________________________________ > > 76attendees mailing list > > > > https://www.ietf.org/mailman/listinfo/76atten... > > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
Hi,Is that true ? IIRC, routerlifetime and address lifetime is not correlated. So, that address can be used for the source address for outgoing sessions, right ? You also have to deprecate the address by announcing PIO with preferred lifetime 0. Regards,On 2009/11/09, at 13:43, Yuji Sekiya wrote: > > Dear IET76 Attendees, > This is Yuji Sekiya, IETF NOC. > > Someone's laptop announces Rogue IPv6 RA on > SSID:ietf network. > > We send fake RAs with routerlifetime=0, so your computer > may not be affected, however, the Rogue RAs are still announced.> > MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6 > 00:21:6b:3c:8c:e2 > > Please STOP announcement of Rogue RA !!! > > -- Yuji Sekiya > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
I think some of implementation bind prefix and its default router, so default router is expired, the prefix is not selected as source address. -- Yuji Sekiya
Hi,
let me CC to 6man ML,
Per RFC4861,
6.3.4. Processing Received Router Advertisements
...
- If the address is already present in the host's Default Router
List and the received Router Lifetime value is zero,
immediately
time-out the entry as specified in Section 6.3.5.
...
6.3.5. Timing out Prefixes and Default Routers
Whenever the invalidation timer expires for a Prefix List entry,
that
entry is discarded. No existing Destination Cache entries need be
updated, however. Should a reachability problem arise with an
existing Neighbor Cache entry, Neighbor Unreachability Detection
will
perform any needed recovery.
Whenever the Lifetime of an entry in the Default Router List
expires,
that entry is discarded. When removing a router from the Default
Router list, the node MUST update the Destination Cache in such a
way
that all entries using the router perform next-hop determination
again rather than continue sending traffic to the (deleted) router.
I'm not sure what does "immediately time-out the entry as specified
in Section 6.3.5." mean.
Does it mean both paragraphs in 6.3.5. or just the latter paragraph ?
If the latter paragraph only should be executed, the address given
by rogue RA remains, right ?On 2009/11/09, at 19:55, Yuji Sekiya wrote:
> At Mon, 9 Nov 2009 19:52:48 +0900,
> Arifumi Matsumoto wrote:
>
>> IIRC, routerlifetime and address lifetime is not correlated.
>>
>> So, that address can be used for the source address for
>> outgoing sessions, right ?
>
> I think some of implementation bind prefix and its default
> router, so default router is expired, the prefix is not
> selected as source address.
>
> -- Yuji Sekiya
Erik,Second to that.I fail to get your point. Requiring sending a RS leads to ... ? Even if that RS fails, it does not have any effect on the given addressby rogue RA, right ?On 2009/11/10, at 10:43, Erik Kline wrote: >> If the latter paragraph only should be executed, the address given >> by rogue RA remains, right ? > > My reading would be that on receipt of a 0-lifetime RA that only the > second paragraph would be executed (lifetime timeout).
Did someone download and install a netstumbler program to see if the Rogue is passing traffic? http://www.netstumbler.com/downloads/On Mon, 9 Nov 2009 19:52:48 +0900, Arifumi Matsumoto wrote: > Hi, > > On 2009/11/09, at 13:43, Yuji Sekiya wrote: > >> >> Dear IET76 Attendees, >> This is Yuji Sekiya, IETF NOC. >> >> Someone's laptop announces Rogue IPv6 RA on >> SSID:ietf network. >> >> We send fake RAs with routerlifetime=0, so your computer >> may not be affected, however, the Rogue RAs are still announced. > > Is that true ? > > IIRC, routerlifetime and address lifetime is not correlated. > > So, that address can be used for the source address for > outgoing sessions, right ? > > You also have to deprecate the address by announcing PIO > with preferred lifetime 0. > > Regards, > >> >> MAC addresses of laptop which announces Rogue RA are >> >> 00:1b:77:bc:a4:e6 >> 00:21:6b:3c:8c:e2 >> >> Please STOP announcement of Rogue RA !!! >> >> -- Yuji Sekiya >> >> _______________________________________________ >> 76attendees mailing list >> >> https://www.ietf.org/mailman/listinfo/76atten... > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
At Mon, 09 Nov 2009 13:43:54 +0900, Yuji Sekiya wrote: Dear IETF76 participants, In Cattleya West Root room the below client is still sending Rogue RA. The client also sent it yesterday. 00:21:6b:3c:8c:e2 The machine name is "T400" by DHCP log. We will kick out the client from wireless network at 2:00pm. Please check MAC address of your PC. Regards, -- Yuji Sekiya> Dear IET76 Attendees, > This is Yuji Sekiya, IETF NOC. > > Someone's laptop announces Rogue IPv6 RA on > SSID:ietf network. > > We send fake RAs with routerlifetime=0, so your computer > may not be affected, however, the Rogue RAs are still announced. > > MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6 > 00:21:6b:3c:8c:e2 > > Please STOP announcement of Rogue RA !!! > > -- Yuji Sekiya > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten... >
Dear All, "00:21:6b:3c:8c:e2" has been blocked from IETF76 WiFi at 2:00pm. Please, people who owns this client contact to the Helpdesk in the terminal room or NOC in the UME(4th Floor). (See the IETF message board) Also, we are hunting another Rouge RA client on the venue. MAC address is "00:1b:77:bc:a4:e6" in the ORCHID West. If RA sending from this client will be continued, we will block the client. Regards, -- Masafumi OE/ NAOJOn Tue, Nov 10, 2009 at 01:15:01PM +0900, Yuji Sekiya wrote: > At Mon, 09 Nov 2009 13:43:54 +0900, > Yuji Sekiya wrote: > > Dear IETF76 participants, > > In Cattleya West Root room the below client is still > sending Rogue RA. The client also sent it yesterday. > > 00:21:6b:3c:8c:e2 > > The machine name is "T400" by DHCP log. > > We will kick out the client from wireless network > at 2:00pm. > > Please check MAC address of your PC. > > Regards, > > -- Yuji Sekiya > > > > > Dear IET76 Attendees, > > This is Yuji Sekiya, IETF NOC. > > > > Someone's laptop announces Rogue IPv6 RA on > > SSID:ietf network. > > > > We send fake RAs with routerlifetime=0, so your computer > > may not be affected, however, the Rogue RAs are still announced. > > > > MAC addresses of laptop which announces Rogue RA are > > > > 00:1b:77:bc:a4:e6 > > 00:21:6b:3c:8c:e2 > > > > Please STOP announcement of Rogue RA !!! > > > > -- Yuji Sekiya > > > > _______________________________________________ > > 76attendees mailing list > > > > https://www.ietf.org/mailman/listinfo/76atten... > > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
Looks like another Thinkpad machine because the OUI for this new mac-addr matches the OUI of the previous machine sending Rogue RA. 00-1B-77 (hex) Intel Corporate 001B77 (base 16) Intel Corporate Lot 8, Jalan Hi-Tech 2/3 Kulim Hi-Tech Park Kulim Kedah 09000 MALAYSIA Hemant -----Original Message----- From: [mailto:] On Behalf Of Masafumi OE Sent: Tuesday, November 10, 2009 2:36 PM To: Subject: Re: [76attendees] Rogue IPv6 RA Dear All, "00:21:6b:3c:8c:e2" has been blocked from IETF76 WiFi at 2:00pm. Please, people who owns this client contact to the Helpdesk in the terminal room or NOC in the UME(4th Floor). (See the IETF message board) Also, we are hunting another Rouge RA client on the venue. MAC address is "00:1b:77:bc:a4:e6" in the ORCHID West. If RA sending from this client will be continued, we will block the client. Regards, -- Masafumi OE/ NAOJ-- Masafumi OE, Astronomy Data Center, NAOJ.On Tue, Nov 10, 2009 at 01:15:01PM +0900, Yuji Sekiya wrote: > At Mon, 09 Nov 2009 13:43:54 +0900, > Yuji Sekiya wrote: > > Dear IETF76 participants, > > In Cattleya West Root room the below client is still > sending Rogue RA. The client also sent it yesterday. > > 00:21:6b:3c:8c:e2 > > The machine name is "T400" by DHCP log. > > We will kick out the client from wireless network > at 2:00pm. > > Please check MAC address of your PC. > > Regards, > > -- Yuji Sekiya > > > > > Dear IET76 Attendees, > > This is Yuji Sekiya, IETF NOC. > > > > Someone's laptop announces Rogue IPv6 RA on > > SSID:ietf network. > > > > We send fake RAs with routerlifetime=0, so your computer > > may not be affected, however, the Rogue RAs are still announced. > > > > MAC addresses of laptop which announces Rogue RA are > > > > 00:1b:77:bc:a4:e6 > > 00:21:6b:3c:8c:e2 > > > > Please STOP announcement of Rogue RA !!! > > > > -- Yuji Sekiya > > > > _______________________________________________ > > 76attendees mailing list > > > > https://www.ietf.org/mailman/listinfo/76atten... > > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
At Mon, 09 Nov 2009 13:43:54 +0900, Yuji Sekiya wrote: The below client advertise Rogue RA again today, so we will block the MAC address soon. 00:1b:77:bc:a4:e6 Hostname is PC-de-pascal by DHCP log. Please check your PC. Regards, -- Yuji Sekiya> Dear IET76 Attendees, > This is Yuji Sekiya, IETF NOC. > > Someone's laptop announces Rogue IPv6 RA on > SSID:ietf network. > > We send fake RAs with routerlifetime=0, so your computer > may not be affected, however, the Rogue RAs are still announced. > > MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6 > 00:21:6b:3c:8c:e2 > > Please STOP announcement of Rogue RA !!! > > -- Yuji Sekiya > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten... >
Ad