[65112] in North American Network Operators' Group
Re: uRPF-based Blackhole Routing System Overview
daemon@ATHENA.MIT.EDU (Scott McGrath)
Wed Nov 12 11:20:41 2003
Date: Wed, 12 Nov 2003 11:17:06 -0500 (EST)
From: Scott McGrath <mcgrath@fas.harvard.edu>
To: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.33.0311071420120.3073-100000@da1server>
Errors-To: owner-nanog-outgoing@merit.edu
Vendor C calls it DHCP snooping and to the best of my knowledge it is only
available under IOS not CatOS
Scott C. McGrath
On Fri, 7 Nov 2003, Greg Maxwell wrote:
>
> On Fri, 7 Nov 2003, Robert A. Hayden wrote:
>
> [snip]
> > One final note. This system is pretty useless for modem pools, VPN
> > concentrators, and many DHCP implementations. The dynamic IP nature of
> > these setups means you will just kill legitimate traffic next time someone
> > gets the IP. You can attempt to correlate your detection with the time
> > they were handed out, of course, in the hopes you find them.
>
> Another approach to address this type of problem is the source spoofing
> preventing dynamic-acls support that some vendors have been adding to
> their products. I don't know if it's in anyone's production code-trains
> yet.
>
> The basic idea is that your switch snoops DHCP traffic to the port and
> generates an ACL based on the address assigned to the client. Removing a
> host is as simple as configuring your DHCP server to ignore it's requests
> and perhaps sending a crafty packet (custom written DECLINE) to burp the
> existing ACL out of the switch.
>
> Vendor F calls this feature "Source IP Port Security", I'm not sure what
> vendor C calls it.
>
> Since this is a layer 2 feature you can configure it far out on the edge
> and not just at the router.
>
>
