[152276] in North American Network Operators' Group
Re: Automatic IPv6 due to broadcast
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Apr 23 09:43:07 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20120423132525.GA27538@angus.ind.WPI.EDU>
Date: Mon, 23 Apr 2012 06:38:09 -0700
To: Chuck Anderson <cra@WPI.EDU>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
> On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
>> On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
>>> Particularly good L2 switches also have
>>> DAI or "IP Source guard" IPv4 functions, which when properly
>>> enabled, can foil certain L2 ARP and IPv4 source address spoofing
>>> attacks, respectively.
>>>=20
>>=20
>>> e.g. Source IP address of packet does not match one of the DHCP =
leases
>>> issued to that port -- then drop the packet.
>>>=20
>>=20
>> Meh... I can see many cases where that might be more of a bug than =
feature.
>>=20
>> Especially in environments where loops may be possible and the DHCP =
lease might
>> have come over a different path than the port in question during some =
network event.
>=20
> You're only supposed to use those features on the port directly
> connected to the end-system, or to a few end-systems via an unmanaged
> office switch that doesn't have redundant uplinks. I.e. edge ports.
In a lot of cases, enforcing that all address assignments are via DHCP =
can still be
counter-productive. Especially in IPv6.
Owen
