Automatic IPv6 due to broadcast

Jimmy Hess mysidia at gmail.com
Mon Apr 23 00:30:09 CDT 2012


On 4/22/12, Grant Ridder <shortdudey123 at gmail.com> wrote:

> Most switches nowadays have dhcpv4 detection that can be enabled for port

Yes. Many L2 switches have DHCPv4 "Snooping",  where some port(s) can
be so designated as trusted DHCP server ports, for certain Virtual
LANs; and dhcp messages can be detected and suppressed from
unauthorized edge ports.     Particularly good L2 switches also have
DAI  or  "IP Source guard"  IPv4 functions,   which when properly
enabled,  can foil certain L2 ARP  and IPv4 source  address spoofing
attacks,  respectively.

e.g. Source IP address of packet does not match one of the DHCP leases
issued to that port -- then drop the packet.


As for IPv6; rfc6105;  you have
ipv6 nd raguard

and IOS NDP inspection.

However, there are caveats that should be noted.    RA guard
implementations can be trivially fooled by the use of crafted packets.

These are potentially good protections against accidental
configuration errors, but not malicious attack from a general purpose
computer.


Currently,  IPv4  seems to win at L2 easily in regards to the level of
hardware security features commonly available on L2 switches  that
pertain to IP.



> -Grant
--
-JH



More information about the NANOG mailing list