adrian at creative.net.au
Wed Feb 18 22:20:41 UTC 2009
On Thu, Feb 19, 2009, Nathan Ward wrote:
> So, those people don't use DHCP in IPv4 if this is a concern, so I'm
> guessing they are not hoping to use DHCPv6 either.
> Static configuration of IP addressing information and other
> configuration will work just fine for them.
> I wonder, do they use ARP?
In the corporate world, you get wonderful L2/L3 features in switches,
* helper address stuff, to run centralised DHCP servers
* dhcp sniffing/filtering
* per port L2/L3 filters
* dynamic arp inspection
which are used on corporate LANs to both build out scalable address
management platforms (ie, no need to run a DHCP server on each subnet,
nor one DHCP server with seperate vlan if's to provide service), control
access and mitigate security risks.
I don't know what the IPv6 LAN "snooping" functionality is across
vendors but the last time I checked this out (say, 2-3 years ago)
it was pretty lacking.
> The things you are talking about are about protecting against
> misconfiguration, not about protecting against malicious people.
More information about the NANOG