IPv6 RA vs DHCPv6 - The chosen one?

Mohacsi Janos mohacsi at niif.hu
Fri Dec 23 21:13:54 UTC 2011

On Fri, 23 Dec 2011, Tomas Podermanski wrote:

> Port security does not help in that case (same as 802.1x). Port security
> is a layer 2 feature so all layer 3 attacks can be still performed. That
> prevents only against source MAC address spoofing. All other attacks
> like DAD DOS, NDP Exhaustion, RA flooding etc. can be performed even
> though the port security is implemented.

If you can limit number of ARP/NDP entries per interfaces and you 
complement RAGuard and DHCPv4 snooping your are done.

With "extended port security" such a features are comming...
 	Best Regards,
 		Janos Mohacsi

More information about the NANOG mailing list