[147860] in North American Network Operators' Group
Re: IPv6 RA vs DHCPv6 - The chosen one?
daemon@ATHENA.MIT.EDU (Mohacsi Janos)
Fri Dec 23 16:14:52 2011
Date: Fri, 23 Dec 2011 22:13:54 +0100 (CET)
From: Mohacsi Janos <mohacsi@niif.hu>
To: Tomas Podermanski <tpoder@cis.vutbr.cz>
In-Reply-To: <4EF4DBDE.7050706@cis.vutbr.cz>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, 23 Dec 2011, Tomas Podermanski wrote:
>
> Port security does not help in that case (same as 802.1x). Port security
> is a layer 2 feature so all layer 3 attacks can be still performed. That
> prevents only against source MAC address spoofing. All other attacks
> like DAD DOS, NDP Exhaustion, RA flooding etc. can be performed even
> though the port security is implemented.
If you can limit number of ARP/NDP entries per interfaces and you
complement RAGuard and DHCPv4 snooping your are done.
With "extended port security" such a features are comming...
Best Regards,
Janos Mohacsi
