nanog mailing list archives
Re: IPv6, IPSEC and DoS
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Mon, 3 Jan 2005 16:54:41 +0100
On 3-jan-05, at 16:29, J. Oquendo wrote:
To prevent ARP or ND spoofing attack you should have L2 switch support to it! Or you can use static ARP or ND entries, which is rather difficult tomaintain.
Funny you should mention this I thought about this but figure the following, regardless of VLAN/PVLAN/ settings, switches still need to build an ARP table
Yes, and that's why you need static MAC forwarding tables too.If you can then enforce the port->MAC->IP mappings you're pretty much bullet proof. I know there are switches that can handle the port->MAC part. An alternative for the MAC->IP part would be the TCP MD5 option or IPsec.
Current thread:
- IPv6, IPSEC and DoS J. Oquendo (Dec 31)
- Re: IPv6, IPSEC and DoS Christopher L. Morrow (Dec 31)
- Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 01)
- Re: IPv6, IPSEC and DoS Rob Thomas (Jan 01)
- Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 02)
- Re: IPv6, IPSEC and DoS Valdis . Kletnieks (Jan 01)
- Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 02)
- Re: IPv6, IPSEC and DoS Valdis . Kletnieks (Jan 02)
- Re: IPv6, IPSEC and DoS Rob Thomas (Jan 01)
- <Possible follow-ups>
- Re: IPv6, IPSEC and DoS J. Oquendo (Jan 03)
- Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 03)
- Re: IPv6, IPSEC and DoS David Barak (Jan 03)
- Re: IPv6, IPSEC and DoS Joe Abley (Jan 03)
- Re: IPv6, IPSEC and DoS David Barak (Jan 03)
- Re: IPv6, IPSEC and DoS Christopher L. Morrow (Jan 03)
- Re: IPv6, IPSEC and DoS Sean Donelan (Jan 03)
- Re: IPv6, IPSEC and DoS Todd Vierling (Jan 03)
- Re: IPv6, IPSEC and DoS Iljitsch van Beijnum (Jan 03)