ArchiveOrangemail archive

76attendees.ietf.org


(List home) (Recent threads) (189 other Internet Engineering Task Force (IETF) lists)

Subscription Options

  • RSS or Atom: Read-only subscription using a browser or aggregator. This is the recommended way if you don't need to send messages to the list. You can learn more about feed syndication and clients here.
  • Conventional: All messages are delivered to your mail address, and you can reply. To subscribe, send an email to the list's subscribe address with "subscribe" in the subject line, or visit the list's homepage here.
  • This list contains about 795 messages, beginning Oct 2009
  • This list doesn't seem to be active
Report the Spam
This button sends a spam report to the moderator. Please use it sparingly. For other removal requests, read this.
Are you sure? yes no

Rogue IPv6 RA

Ad
Yuji Sekiya 1257741723Mon, 09 Nov 2009 04:42:03 +0000 (UTC)
Dear IET76 Attendees,
This is Yuji Sekiya, IETF NOC.

Someone's laptop announces Rogue IPv6 RA on
SSID:ietf network.

We send fake RAs with routerlifetime=0, so your computer
may not be affected, however, the Rogue RAs are still announced.

MAC addresses of laptop which announces Rogue RA are

   00:1b:77:bc:a4:e6
   00:21:6b:3c:8c:e2

Please STOP announcement of Rogue RA !!!

-- Yuji Sekiya
Masafumi OE 1257742252Mon, 09 Nov 2009 04:50:52 +0000 (UTC)
Dear IET76 Attendees,
On Mon, Nov 09, 2009 at 01:43:54PM +0900, Yuji Sekiya wrote: > > Dear IET76 Attendees, > This is Yuji Sekiya, IETF NOC. > > Someone's laptop announces Rogue IPv6 RA on > SSID:ietf network. > > We send fake RAs with routerlifetime=0, so your computer > may not be affected, however, the Rogue RAs are still announced. > > MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6
is located in CATTLEA-East. > 00:21:6b:3c:8c:e2 is located in CATTLEA-East.
> Please STOP announcement of Rogue RA !!! >
Tony Hain 1257742574Mon, 09 Nov 2009 04:56:14 +0000 (UTC)
As seen from Acacia West the broken machine is:

bogus RA's from Dell_cd:e2:4d (00:11:43:cd:e2:4d)

Prefix 2002:855d:13c9:9::
Prefix fec0:0:0:9::
> -----Original Message----- > From: [mailto:76attendees- > ] On Behalf Of Masafumi OE > Sent: Monday, November 09, 2009 1:53 PM > To: Yuji Sekiya > Cc: > Subject: Re: [76attendees] Rogue IPv6 RA > > > Dear IET76 Attendees, > > On Mon, Nov 09, 2009 at 01:43:54PM +0900, > Yuji Sekiya wrote: > > > > > Dear IET76 Attendees, > > This is Yuji Sekiya, IETF NOC. > > > > Someone's laptop announces Rogue IPv6 RA on > > SSID:ietf network. > > > > We send fake RAs with routerlifetime=0, so your computer > > may not be affected, however, the Rogue RAs are still announced. > > > > MAC addresses of laptop which announces Rogue RA are > > > > 00:1b:77:bc:a4:e6 > is located in CATTLEA-East. > > > 00:21:6b:3c:8c:e2 > is located in CATTLEA-East. > > > Please STOP announcement of Rogue RA !!! > > > > > -- > Masafumi OE, Astronomy Data Center, NAOJ. > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
evyncke 1257742993Mon, 09 Nov 2009 05:03:13 +0000 (UTC)
Interesting to see ULA on WiFi indeed ;-)
On 9/11/09 13:56, "Tony Hain" wrote: > As seen from Acacia West the broken machine is: > > bogus RA's from Dell_cd:e2:4d (00:11:43:cd:e2:4d) > > Prefix 2002:855d:13c9:9:: > Prefix fec0:0:0:9:: > > > >> -----Original Message----- >> From: [mailto:76attendees- >> ] On Behalf Of Masafumi OE >> Sent: Monday, November 09, 2009 1:53 PM >> To: Yuji Sekiya >> Cc: >> Subject: Re: [76attendees] Rogue IPv6 RA >> >> >> Dear IET76 Attendees, >> >> On Mon, Nov 09, 2009 at 01:43:54PM +0900, >> Yuji Sekiya wrote: >> >>> >>> Dear IET76 Attendees, >>> This is Yuji Sekiya, IETF NOC. >>> >>> Someone's laptop announces Rogue IPv6 RA on >>> SSID:ietf network. >>> >>> We send fake RAs with routerlifetime=0, so your computer >>> may not be affected, however, the Rogue RAs are still announced. >>> >>> MAC addresses of laptop which announces Rogue RA are >>> >>> 00:1b:77:bc:a4:e6 >> is located in CATTLEA-East. >> >>> 00:21:6b:3c:8c:e2 >> is located in CATTLEA-East. >> >>> Please STOP announcement of Rogue RA !!! >>> >> >> >> -- >> Masafumi OE, Astronomy Data Center, NAOJ. >> _______________________________________________ >> 76attendees mailing list >> >> https://www.ietf.org/mailman/listinfo/76atten... > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
Tony Hain 1257744852Mon, 09 Nov 2009 05:34:12 +0000 (UTC)
That is not ula, it is site-local. Both of those prefixes are in the same RA
> -----Original Message----- > From: evyncke [mailto:] > Sent: Monday, November 09, 2009 2:01 PM > To: ; 'Masafumi OE'; 'Yuji Sekiya' > Cc: > Subject: Re: [76attendees] Rogue IPv6 RA > > Interesting to see ULA on WiFi indeed ;-) > > > On 9/11/09 13:56, "Tony Hain" wrote: > > > As seen from Acacia West the broken machine is: > > > > bogus RA's from Dell_cd:e2:4d (00:11:43:cd:e2:4d) > > > > Prefix 2002:855d:13c9:9:: > > Prefix fec0:0:0:9:: > > > > > > > >> -----Original Message----- > >> From: [mailto:76attendees- > >> ] On Behalf Of Masafumi OE > >> Sent: Monday, November 09, 2009 1:53 PM > >> To: Yuji Sekiya > >> Cc: > >> Subject: Re: [76attendees] Rogue IPv6 RA > >> > >> > >> Dear IET76 Attendees, > >> > >> On Mon, Nov 09, 2009 at 01:43:54PM +0900, > >> Yuji Sekiya wrote: > >> > >>> > >>> Dear IET76 Attendees, > >>> This is Yuji Sekiya, IETF NOC. > >>> > >>> Someone's laptop announces Rogue IPv6 RA on > >>> SSID:ietf network. > >>> > >>> We send fake RAs with routerlifetime=0, so your computer > >>> may not be affected, however, the Rogue RAs are still announced. > >>> > >>> MAC addresses of laptop which announces Rogue RA are > >>> > >>> 00:1b:77:bc:a4:e6 > >> is located in CATTLEA-East. > >> > >>> 00:21:6b:3c:8c:e2 > >> is located in CATTLEA-East. > >> > >>> Please STOP announcement of Rogue RA !!! > >>> > >> > >> > >> -- > >> Masafumi OE, Astronomy Data Center, NAOJ. > >> _______________________________________________ > >> 76attendees mailing list > >> > >> https://www.ietf.org/mailman/listinfo/76atten... > > > > _______________________________________________ > > 76attendees mailing list > > > > https://www.ietf.org/mailman/listinfo/76atten...
Rob Evans 1257743009Mon, 09 Nov 2009 05:03:29 +0000 (UTC)
> MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6 > 00:21:6b:3c:8c:e2 > > Please STOP announcement of Rogue RA !!!
As I've just gone through this with someone that was sending RAs earlier, it seems as though if you've enabled internet connection sharing on Windows XP in the past, it may still be sending RAs even if ICS is disabled. From a command prompt: netsh interface ipv6 show interface level=verbose Look through the output for "Sends Router Advertisements : Yes", and for those interfaces do: set interface "Wireless Network Connection" advertise=disabled Replace "Wireless Network Connection" with the name of the relevant interface. I doubt this is persistent. Rob
JORDI PALET MARTINEZ 1257748645Mon, 09 Nov 2009 06:37:25 +0000 (UTC)
Using netsh you typically have the option to add:

store=persistent

(persistent across reboots)

or

store=active

(valid only until you reboot)

Other tips when you configured 6to4 in your laptop and want to "undo" it,
available for several operating systems at:
http://www.ipv6tf.org/index.php?page=using/co...

Regards,
Jordi
> De: Rob Evans > Responder a: > Fecha: Mon, 09 Nov 2009 05:01:49 +0000 > Para: > Asunto: Re: [76attendees] Rogue IPv6 RA > >> MAC addresses of laptop which announces Rogue RA are >> >> 00:1b:77:bc:a4:e6 >> 00:21:6b:3c:8c:e2 >> >> Please STOP announcement of Rogue RA !!! > > As I've just gone through this with someone that was sending RAs > earlier, it seems as though if you've enabled internet connection > sharing on Windows XP in the past, it may still be sending RAs even if > ICS is disabled. > > From a command prompt: > netsh > interface ipv6 > show interface level=verbose > > Look through the output for "Sends Router Advertisements : Yes", and for > those interfaces do: > > set interface "Wireless Network Connection" advertise=disabled > > Replace "Wireless Network Connection" with the name of the relevant > interface. > > I doubt this is persistent. > > Rob > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
Yuji Sekiya 1257761916Mon, 09 Nov 2009 10:18:36 +0000 (UTC)
At Mon, 09 Nov 2009 13:43:54 +0900,
Yuji Sekiya wrote:

Nowcomer...

   00:16:cb:b5:c8:fe

on SSID:ietf network.

-- Yuji Sekiya
> Dear IET76 Attendees, > This is Yuji Sekiya, IETF NOC. > > Someone's laptop announces Rogue IPv6 RA on > SSID:ietf network. > > We send fake RAs with routerlifetime=0, so your computer > may not be affected, however, the Rogue RAs are still announced. > > MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6 > 00:21:6b:3c:8c:e2 > > Please STOP announcement of Rogue RA !!! > > -- Yuji Sekiya > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten... >
Masafumi OE 1257762318Mon, 09 Nov 2009 10:25:18 +0000 (UTC)
The client location is front-right side in ORCHID EAST.

--
Masafumi OE
On Mon, Nov 09, 2009 at 07:20:27PM +0900, Yuji Sekiya wrote: > At Mon, 09 Nov 2009 13:43:54 +0900, > Yuji Sekiya wrote: > > Nowcomer... > > 00:16:cb:b5:c8:fe > > on SSID:ietf network. > > -- Yuji Sekiya > > > > > Dear IET76 Attendees, > > This is Yuji Sekiya, IETF NOC. > > > > Someone's laptop announces Rogue IPv6 RA on > > SSID:ietf network. > > > > We send fake RAs with routerlifetime=0, so your computer > > may not be affected, however, the Rogue RAs are still announced. > > > > MAC addresses of laptop which announces Rogue RA are > > > > 00:1b:77:bc:a4:e6 > > 00:21:6b:3c:8c:e2 > > > > Please STOP announcement of Rogue RA !!! > > > > -- Yuji Sekiya > > > > _______________________________________________ > > 76attendees mailing list > > > > https://www.ietf.org/mailman/listinfo/76atten... > > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
Arifumi Matsumoto 1257763751Mon, 09 Nov 2009 10:49:11 +0000 (UTC)
Hi,
On 2009/11/09, at 13:43, Yuji Sekiya wrote: > > Dear IET76 Attendees, > This is Yuji Sekiya, IETF NOC. > > Someone's laptop announces Rogue IPv6 RA on > SSID:ietf network. > > We send fake RAs with routerlifetime=0, so your computer > may not be affected, however, the Rogue RAs are still announced.
Is that true ? IIRC, routerlifetime and address lifetime is not correlated. So, that address can be used for the source address for outgoing sessions, right ? You also have to deprecate the address by announcing PIO with preferred lifetime 0. Regards,
> > MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6 > 00:21:6b:3c:8c:e2 > > Please STOP announcement of Rogue RA !!! > > -- Yuji Sekiya > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
Yuji Sekiya 1257764003Mon, 09 Nov 2009 10:53:23 +0000 (UTC)
At Mon, 9 Nov 2009 19:52:48 +0900, Arifumi Matsumoto wrote: > IIRC, routerlifetime and address lifetime is not correlated. > > So, that address can be used for the source address for > outgoing sessions, right ?
I think some of implementation bind prefix and its default router, so default router is expired, the prefix is not selected as source address. -- Yuji Sekiya
Arifumi Matsumoto 1257777019Mon, 09 Nov 2009 14:30:19 +0000 (UTC)
Hi,
let me CC to 6man ML,

Per RFC4861,

6.3.4.  Processing Received Router Advertisements
...
       - If the address is already present in the host's Default Router
         List and the received Router Lifetime value is zero,  
immediately
         time-out the entry as specified in Section 6.3.5.
...
6.3.5.  Timing out Prefixes and Default Routers

    Whenever the invalidation timer expires for a Prefix List entry,  
that
    entry is discarded.  No existing Destination Cache entries need be
    updated, however.  Should a reachability problem arise with an
    existing Neighbor Cache entry, Neighbor Unreachability Detection  
will
    perform any needed recovery.

    Whenever the Lifetime of an entry in the Default Router List  
expires,
    that entry is discarded.  When removing a router from the Default
    Router list, the node MUST update the Destination Cache in such a  
way
    that all entries using the router perform next-hop determination
    again rather than continue sending traffic to the (deleted) router.

I'm not sure what does "immediately time-out the entry as specified
in Section 6.3.5." mean.
Does it mean both paragraphs in 6.3.5. or just the latter paragraph ?

If the latter paragraph only should be executed, the address given
by rogue RA remains, right ?
On 2009/11/09, at 19:55, Yuji Sekiya wrote: > At Mon, 9 Nov 2009 19:52:48 +0900, > Arifumi Matsumoto wrote: > >> IIRC, routerlifetime and address lifetime is not correlated. >> >> So, that address can be used for the source address for >> outgoing sessions, right ? > > I think some of implementation bind prefix and its default > router, so default router is expired, the prefix is not > selected as source address. > > -- Yuji Sekiya
Arifumi Matsumoto 1257817689Tue, 10 Nov 2009 01:48:09 +0000 (UTC)
Erik,
On 2009/11/10, at 10:43, Erik Kline wrote: >> If the latter paragraph only should be executed, the address given >> by rogue RA remains, right ? > > My reading would be that on receipt of a 0-lifetime RA that only the > second paragraph would be executed (lifetime timeout).
Second to that.
> However, all > hosts receiving the 0-lifetime RA would then have to recompute the > next-hop, which in /some/ cases may require sending a RS (which the > rogue RA node would presumably hear and re-answer). (Of course I > haven't verified this against any implementation :)
I fail to get your point. Requiring sending a RS leads to ... ? Even if that RS fails, it does not have any effect on the given addressby rogue RA, right ?
Harold Huggins 1257768512Mon, 09 Nov 2009 12:08:32 +0000 (UTC)
Did someone download and install a netstumbler program to see if the Rogue
is passing traffic?


http://www.netstumbler.com/downloads/
On Mon, 9 Nov 2009 19:52:48 +0900, Arifumi Matsumoto wrote: > Hi, > > On 2009/11/09, at 13:43, Yuji Sekiya wrote: > >> >> Dear IET76 Attendees, >> This is Yuji Sekiya, IETF NOC. >> >> Someone's laptop announces Rogue IPv6 RA on >> SSID:ietf network. >> >> We send fake RAs with routerlifetime=0, so your computer >> may not be affected, however, the Rogue RAs are still announced. > > Is that true ? > > IIRC, routerlifetime and address lifetime is not correlated. > > So, that address can be used for the source address for > outgoing sessions, right ? > > You also have to deprecate the address by announcing PIO > with preferred lifetime 0. > > Regards, > >> >> MAC addresses of laptop which announces Rogue RA are >> >> 00:1b:77:bc:a4:e6 >> 00:21:6b:3c:8c:e2 >> >> Please STOP announcement of Rogue RA !!! >> >> -- Yuji Sekiya >> >> _______________________________________________ >> 76attendees mailing list >> >> https://www.ietf.org/mailman/listinfo/76atten... > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
Yuji Sekiya 1257826401Tue, 10 Nov 2009 04:13:21 +0000 (UTC)
At Mon, 09 Nov 2009 13:43:54 +0900,
Yuji Sekiya wrote:

Dear IETF76 participants,

In Cattleya West Root room the below client is still
sending Rogue RA. The client also sent it yesterday.

00:21:6b:3c:8c:e2

The machine name is "T400" by DHCP log.

We will kick out the client from wireless network
at 2:00pm.

Please check MAC address of your PC.

Regards,

-- Yuji Sekiya
> Dear IET76 Attendees, > This is Yuji Sekiya, IETF NOC. > > Someone's laptop announces Rogue IPv6 RA on > SSID:ietf network. > > We send fake RAs with routerlifetime=0, so your computer > may not be affected, however, the Rogue RAs are still announced. > > MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6 > 00:21:6b:3c:8c:e2 > > Please STOP announcement of Rogue RA !!! > > -- Yuji Sekiya > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten... >
Masafumi OE 1257831279Tue, 10 Nov 2009 05:34:39 +0000 (UTC)
Dear All,

"00:21:6b:3c:8c:e2" has been blocked from IETF76 WiFi at 2:00pm.

Please, people who owns this client contact to the Helpdesk in 
the terminal room or NOC in the UME(4th Floor).
(See the IETF message board)

Also, we are hunting another Rouge RA client on the venue.
MAC address is "00:1b:77:bc:a4:e6" in the ORCHID West.
If RA sending from this client will be continued, we will block 
the client.

Regards,

--
Masafumi OE/ NAOJ
On Tue, Nov 10, 2009 at 01:15:01PM +0900, Yuji Sekiya wrote: > At Mon, 09 Nov 2009 13:43:54 +0900, > Yuji Sekiya wrote: > > Dear IETF76 participants, > > In Cattleya West Root room the below client is still > sending Rogue RA. The client also sent it yesterday. > > 00:21:6b:3c:8c:e2 > > The machine name is "T400" by DHCP log. > > We will kick out the client from wireless network > at 2:00pm. > > Please check MAC address of your PC. > > Regards, > > -- Yuji Sekiya > > > > > Dear IET76 Attendees, > > This is Yuji Sekiya, IETF NOC. > > > > Someone's laptop announces Rogue IPv6 RA on > > SSID:ietf network. > > > > We send fake RAs with routerlifetime=0, so your computer > > may not be affected, however, the Rogue RAs are still announced. > > > > MAC addresses of laptop which announces Rogue RA are > > > > 00:1b:77:bc:a4:e6 > > 00:21:6b:3c:8c:e2 > > > > Please STOP announcement of Rogue RA !!! > > > > -- Yuji Sekiya > > > > _______________________________________________ > > 76attendees mailing list > > > > https://www.ietf.org/mailman/listinfo/76atten... > > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
Hemant Singh (shemant) 1257831434Tue, 10 Nov 2009 05:37:14 +0000 (UTC)
Looks like another Thinkpad machine because the OUI for this new
mac-addr matches the OUI of the previous machine sending Rogue RA.

00-1B-77   (hex)		Intel Corporate
001B77     (base 16)    Intel Corporate
				Lot 8, Jalan Hi-Tech 2/3
				Kulim Hi-Tech Park
				Kulim Kedah 09000
				MALAYSIA

Hemant

-----Original Message-----
From:  [mailto:]
On Behalf Of Masafumi OE
Sent: Tuesday, November 10, 2009 2:36 PM
To: 
Subject: Re: [76attendees] Rogue IPv6 RA

Dear All,

"00:21:6b:3c:8c:e2" has been blocked from IETF76 WiFi at 2:00pm.

Please, people who owns this client contact to the Helpdesk in 
the terminal room or NOC in the UME(4th Floor).
(See the IETF message board)

Also, we are hunting another Rouge RA client on the venue.
MAC address is "00:1b:77:bc:a4:e6" in the ORCHID West.
If RA sending from this client will be continued, we will block 
the client.

Regards,

--
Masafumi OE/ NAOJ
On Tue, Nov 10, 2009 at 01:15:01PM +0900, Yuji Sekiya wrote: > At Mon, 09 Nov 2009 13:43:54 +0900, > Yuji Sekiya wrote: > > Dear IETF76 participants, > > In Cattleya West Root room the below client is still > sending Rogue RA. The client also sent it yesterday. > > 00:21:6b:3c:8c:e2 > > The machine name is "T400" by DHCP log. > > We will kick out the client from wireless network > at 2:00pm. > > Please check MAC address of your PC. > > Regards, > > -- Yuji Sekiya > > > > > Dear IET76 Attendees, > > This is Yuji Sekiya, IETF NOC. > > > > Someone's laptop announces Rogue IPv6 RA on > > SSID:ietf network. > > > > We send fake RAs with routerlifetime=0, so your computer > > may not be affected, however, the Rogue RAs are still announced. > > > > MAC addresses of laptop which announces Rogue RA are > > > > 00:1b:77:bc:a4:e6 > > 00:21:6b:3c:8c:e2 > > > > Please STOP announcement of Rogue RA !!! > > > > -- Yuji Sekiya > > > > _______________________________________________ > > 76attendees mailing list > > > > https://www.ietf.org/mailman/listinfo/76atten... > > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten...
-- Masafumi OE, Astronomy Data Center, NAOJ.
Yuji Sekiya 1258007133Thu, 12 Nov 2009 06:25:33 +0000 (UTC)
At Mon, 09 Nov 2009 13:43:54 +0900,
Yuji Sekiya wrote:

The below client advertise Rogue RA again today,
so we will block the MAC address soon.

00:1b:77:bc:a4:e6
Hostname is PC-de-pascal by DHCP log.

Please check your PC.

Regards,

-- Yuji Sekiya
> Dear IET76 Attendees, > This is Yuji Sekiya, IETF NOC. > > Someone's laptop announces Rogue IPv6 RA on > SSID:ietf network. > > We send fake RAs with routerlifetime=0, so your computer > may not be affected, however, the Rogue RAs are still announced. > > MAC addresses of laptop which announces Rogue RA are > > 00:1b:77:bc:a4:e6 > 00:21:6b:3c:8c:e2 > > Please STOP announcement of Rogue RA !!! > > -- Yuji Sekiya > > _______________________________________________ > 76attendees mailing list > > https://www.ietf.org/mailman/listinfo/76atten... >
Ad
Home | About | Privacy