As the world is slowly moving towards IPv6 the implementation of proper security measure also for OpenWrt powered networks should be available.
Especially as OpenWrt powered switches are now available I would like to suggest to implement the following:
RA Guard - Router Advertisement Guard RFC6105
Futher implementation advice are detailed in RFC7113
Thanks
Any particular pointers if some ends are loosened over very compliant Linux kernel defaults?
Have only found https://github.com/systemd/systemd/issues/2977 about systemd related to this problem.
And this presentation:
max_addresses is set to 16
sysctl net.ipv6.conf.default.drop_unsolicited_na=1 net.ipv6.conf.all.drop_unsolicited_na=1
and probably firewall needs to maintain TTL-s on autoconf packets
Thank you for your insight.
This is fine for the router, but what about the OpenWrt managed switches? How to configure, that only a certain port is connected to the router and accepts RAs to be forwarded to clients?
Not in your docoments, bridge filtering does not work unless you bridge only real netcards. DSA gives appearance it could but does not. This with dhcp4 also
The odhcp6 suite does not yet understand SEND. Support for it seems a non-trivial effort.
Thank you for your input. No one has SEND as far as I know.
At the moment I was more suggesting some predefined ACLs and filters for individual ports on a router or smart switch.
DSA makes appearance it is possible but it takes quickpaths via switch so the filtering there is not trivial (as I said DHCPv4 too cannot be made "provider" lookalike)