IPv6, IPSEC and DoS

• Previous message (by thread): IPv6, IPSEC and DoS
• Next message (by thread): IPv6, IPSEC and DoS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3-jan-05, at 16:29, J. Oquendo wrote:

>> To prevent ARP or ND spoofing attack you should have L2 switch 
>> support to
>> it! Or you can use static ARP or ND entries, which is rather 
>> difficult to
>> maintain.

> Funny you should mention this I thought about this but figure the
> following, regardless of VLAN/PVLAN/ settings, switches still need to
> build an ARP table

Yes, and that's why you need static MAC forwarding tables too.

If you can then enforce the port->MAC->IP mappings you're pretty much 
bullet proof. I know there are switches that can handle the port->MAC 
part. An alternative for the MAC->IP part would be the TCP MD5 option 
or IPsec.

• Previous message (by thread): IPv6, IPSEC and DoS
• Next message (by thread): IPv6, IPSEC and DoS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]