Some Windows networking consultants are so concerned about the hole and Microsoft's lack of interest in fixing it, that they have been warning users directly. "There is a serious Windows vulnerability for RA flooding as a denial-of-service attack on wired LANs. It only takes between 5 to 20 packets to CPU-bound every Windows 7 or Server 2008 machine on that subnet," said Microsoft MVP Ed Horley, Principal Solutions Architect at Groupware Technology to attendees of the Rocky Mountain IPv6 Summit in Denver, Colo., last week. "I have heard rumor it can also lock out Playstation 2 and Xbox consoles. With enough packets it requires a hard reboot to recover."
Although several workarounds exist, each has a significant drawback. One is to turn off IPv6, http://www.networkworld.com/topics/ipv6.html which also disables new Microsoft technologies that rely on it, such as DirectAccess, a service that allows Windows 7 machines to have an always-on remote access connection to Windows Server 2008 R2 servers. Remote Access is touted as a money-saving option as it replaces the need for a separate VPN in Windows environments.
Experts also advise using a router that has implemented a Cisco technology called RA Guard - and while Cisco routers support RA Guard, not all routers do. RA Guard was submitted as an informational document to the IETF, RFC 6105, but it is not on track to become a standard.
Juniper, for instance, has no intention of implementing it and is instead waiting for IETF RFC 6164. "RFC 6105 IPv6 Router Advertisement Guard, published about nine weeks ago, is an informational RFC, as opposed to an IETF Standard, that documents Cisco's proprietary RA-Guard technology. Cisco asserts that at least one of their patent applications (US PPA 20080307516) covers this technology. While Cisco has stated that should RFC 6105 become a standard then they will make a royalty-free license available, since this is not yet a standard there is no such option. We can however achieve much the same functionality simply by applying access control lists," said Juniper's Peter Lunk, director of product marketing for high-end security systems.
Lunk added: "Conversely, RFC 6164, released last month, is a 'standards track' RFC (which is to say on the way to being, but not yet, a standard) supported by Juniper, Google and IBM and others that addresses many of the same issues in a much more open manner. We expect this to be ratified as a full standard at the next IETF meeting in July."
Sign up for Computerworld eNewsletters.