[147862] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: IPv6 RA vs DHCPv6 - The chosen one?

daemon@ATHENA.MIT.EDU (Jeff Wheeler)
Fri Dec 23 16:24:27 2011

In-Reply-To: <alpine.BSF.2.00.1112232210570.99152@mignon.ki.iif.hu>
Date: Fri, 23 Dec 2011 16:23:31 -0500
From: Jeff Wheeler <jsw@inconcepts.biz>
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

On Fri, Dec 23, 2011 at 4:13 PM, Mohacsi Janos <mohacsi@niif.hu> wrote:
> If you can limit number of ARP/NDP entries per interfaces and you complem=
ent
> RAGuard and DHCPv4 snooping your are done.

That depends on how ARP/ND gleaning works on the box.  In short, Cisco
already has a knob to limit the number of ND entries per interface on
some of their kit, and it is not a solution, only a damage mitigation
measure.  http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf

--=20
Jeff S Wheeler <jsw@inconcepts.biz>
Sr Network Operator=A0 /=A0 Innovative Network Concepts


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[147862] in North American Network Operators' Group

Re: IPv6 RA vs DHCPv6 - The chosen one?

daemon@ATHENA.MIT.EDU (Jeff Wheeler)Fri Dec 23 16:24:27 2011

daemon@ATHENA.MIT.EDU (Jeff Wheeler)
Fri Dec 23 16:24:27 2011