Re: IPv6, IPSEC and DoS

• Previous message: Malayter, Christopher: "RE: Agenda so far for NANOG33"
• In reply to: J. Oquendo: "Re: IPv6, IPSEC and DoS"
• Next in thread: David Barak: "Re: IPv6, IPSEC and DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 3-jan-05, at 16:29, J. Oquendo wrote:

>> To prevent ARP or ND spoofing attack you should have L2 switch
>> support to
>> it! Or you can use static ARP or ND entries, which is rather
>> difficult to
>> maintain.

> Funny you should mention this I thought about this but figure the
> following, regardless of VLAN/PVLAN/ settings, switches still need to
> build an ARP table

Yes, and that's why you need static MAC forwarding tables too.

If you can then enforce the port->MAC->IP mappings you're pretty much
bullet proof. I know there are switches that can handle the port->MAC
part. An alternative for the MAC->IP part would be the TCP MD5 option
or IPsec.

• Previous message: Malayter, Christopher: "RE: Agenda so far for NANOG33"
• In reply to: J. Oquendo: "Re: IPv6, IPSEC and DoS"
• Next in thread: David Barak: "Re: IPv6, IPSEC and DoS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]