IPv6, IPSEC and DoS
Iljitsch van Beijnum
iljitsch at muada.com
Mon Jan 3 15:54:41 UTC 2005
On 3-jan-05, at 16:29, J. Oquendo wrote:
>> To prevent ARP or ND spoofing attack you should have L2 switch
>> support to
>> it! Or you can use static ARP or ND entries, which is rather
>> difficult to
>> maintain.
> Funny you should mention this I thought about this but figure the
> following, regardless of VLAN/PVLAN/ settings, switches still need to
> build an ARP table
Yes, and that's why you need static MAC forwarding tables too.
If you can then enforce the port->MAC->IP mappings you're pretty much
bullet proof. I know there are switches that can handle the port->MAC
part. An alternative for the MAC->IP part would be the TCP MD5 option
or IPsec.
More information about the NANOG
mailing list