IPv6 RA vs DHCPv6 - The chosen one?

Jeff Wheeler jsw at inconcepts.biz
Fri Dec 23 21:23:31 UTC 2011


On Fri, Dec 23, 2011 at 4:13 PM, Mohacsi Janos <mohacsi at niif.hu> wrote:
> If you can limit number of ARP/NDP entries per interfaces and you complement
> RAGuard and DHCPv4 snooping your are done.

That depends on how ARP/ND gleaning works on the box.  In short, Cisco
already has a knob to limit the number of ND entries per interface on
some of their kit, and it is not a solution, only a damage mitigation
measure.  http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts




More information about the NANOG mailing list