IPv6, IPSEC and DoS

Iljitsch van Beijnum iljitsch at muada.com
Mon Jan 3 15:54:41 UTC 2005

On 3-jan-05, at 16:29, J. Oquendo wrote:

>> To prevent ARP or ND spoofing attack you should have L2 switch 
>> support to
>> it! Or you can use static ARP or ND entries, which is rather 
>> difficult to
>> maintain.

> Funny you should mention this I thought about this but figure the
> following, regardless of VLAN/PVLAN/ settings, switches still need to
> build an ARP table

Yes, and that's why you need static MAC forwarding tables too.

If you can then enforce the port->MAC->IP mappings you're pretty much 
bullet proof. I know there are switches that can handle the port->MAC 
part. An alternative for the MAC->IP part would be the TCP MD5 option 
or IPsec.

More information about the NANOG mailing list