IPv6 RA vs DHCPv6 - The chosen one?
Mohacsi Janos
mohacsi at niif.hu
Fri Dec 23 21:13:54 UTC 2011
On Fri, 23 Dec 2011, Tomas Podermanski wrote:
>
> Port security does not help in that case (same as 802.1x). Port security
> is a layer 2 feature so all layer 3 attacks can be still performed. That
> prevents only against source MAC address spoofing. All other attacks
> like DAD DOS, NDP Exhaustion, RA flooding etc. can be performed even
> though the port security is implemented.
If you can limit number of ARP/NDP entries per interfaces and you
complement RAGuard and DHCPv4 snooping your are done.
With "extended port security" such a features are comming...
Best Regards,
Janos Mohacsi
More information about the NANOG
mailing list