RA Guard

Table 1. IPv6 Router Advertisement (RA) Guard product support

Feature

Product

Release introduced

IPv6 Router Advertisement (RA) Guard

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4900 Series

VOSS 8.1

VSP 7400 Series

VOSS 8.0

IPv6 hosts can configure themselves automatically when connected to a routed IPv6 network through ICMPv6 router discovery messages. When the host is connected to the network for the first time, it sends a link-local router solicitation multicast request for its configuration parameters. If the host is configured correctly, routers respond to the request with a Router Advertisement (RA) packet. The RA packet contains network-layer configuration parameters.

In addition to filtering RAs, RA Guard introduces the concept of router authorization proxy. Instead of each node on the link analyzing RAs and making an individual decision, a legitimate adversary-in-the-middle performs the analysis on behalf of all other nodes on the link.

Stateless and statefull RA Guard functions are available. The switch supports only the stateless RA Guard function.

Stateless RA Guard examines incoming RAs and decides whether to forward or block them based on the information found in the message or in the Layer 2 device configuration. The following list identifies the typical information available in the received frames that are used for RA validation:

After the Layer 2 device successfully validates the RA packet content against the configuration, the RA is forwarded to its destination, whether unicast or multicast. If the validation fails, the RA is dropped at the Layer 2 device.