North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: uRPF-based Blackhole Routing System Overview
Catching up on the thread.. vendor C also calls it "IP Source-guard" on the Cat 4K in IOS. And it acually works quite well (does require DHCP snooping). T ----- Original Message ----- From: "Scott McGrath" <[email protected]> To: <[email protected]> Sent: Wednesday, November 12, 2003 5:17 PM Subject: Re: uRPF-based Blackhole Routing System Overview > > > Vendor C calls it DHCP snooping and to the best of my knowledge it is only > available under IOS not CatOS > > > Scott C. McGrath > > On Fri, 7 Nov 2003, Greg Maxwell wrote: > > > > > On Fri, 7 Nov 2003, Robert A. Hayden wrote: > > > > [snip] > > > One final note. This system is pretty useless for modem pools, VPN > > > concentrators, and many DHCP implementations. The dynamic IP nature of > > > these setups means you will just kill legitimate traffic next time someone > > > gets the IP. You can attempt to correlate your detection with the time > > > they were handed out, of course, in the hopes you find them. > > > > Another approach to address this type of problem is the source spoofing > > preventing dynamic-acls support that some vendors have been adding to > > their products. I don't know if it's in anyone's production code-trains > > yet. > > > > The basic idea is that your switch snoops DHCP traffic to the port and > > generates an ACL based on the address assigned to the client. Removing a > > host is as simple as configuring your DHCP server to ignore it's requests > > and perhaps sending a crafty packet (custom written DECLINE) to burp the > > existing ACL out of the switch. > > > > Vendor F calls this feature "Source IP Port Security", I'm not sure what > > vendor C calls it. > > > > Since this is a layer 2 feature you can configure it far out on the edge > > and not just at the router. > > > > >
|