[76880] in North American Network Operators' Group
Re: IPv6, IPSEC and DoS
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Mon Jan 3 10:55:14 2005
In-Reply-To: <Pine.GSO.4.58.0501031027060.24001@kungfunix.net>
Cc: nanog@nanog.org
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Mon, 3 Jan 2005 16:54:41 +0100
To: "J. Oquendo" <sil@politrix.org>
Errors-To: owner-nanog-outgoing@merit.edu
On 3-jan-05, at 16:29, J. Oquendo wrote:
>> To prevent ARP or ND spoofing attack you should have L2 switch
>> support to
>> it! Or you can use static ARP or ND entries, which is rather
>> difficult to
>> maintain.
> Funny you should mention this I thought about this but figure the
> following, regardless of VLAN/PVLAN/ settings, switches still need to
> build an ARP table
Yes, and that's why you need static MAC forwarding tables too.
If you can then enforce the port->MAC->IP mappings you're pretty much
bullet proof. I know there are switches that can handle the port->MAC
part. An alternative for the MAC->IP part would be the TCP MD5 option
or IPsec.
