IPv6, IPSEC and DoS

Todd Vierling tv at duh.org
Mon Jan 3 21:59:10 UTC 2005

On Mon, 3 Jan 2005, Sean Donelan wrote:

> Not necessarily.  Some public networks are moving away from the ask
> everyone the question, anyone can answer model. It cuts down on the
> chatter, and the spoofing.  That doesn't mean you have to go to a static
> provisioning model, but it does mean you have to think harder about what
> you trust, what asks the questions and what answers the questions.

One example is the typical cable modem provider.  A DOCSIS modem is
provisioned with a MAC address known to the telco, and effectively creates a
virtual "port" on a huge switch^Whub with the modem's MAC as the port

The MAC of the device behind the virtual port is then provisioned using some
sort of interface that detects and stores that MAC address as associated
with the modem.  At that point it's easy to automate the process and allow
packets from known MAC addresses through only their associated virtual

-- Todd Vierling <tv at duh.org> <tv at pobox.com>

More information about the NANOG mailing list