North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IPv6, IPSEC and DoS

  • From: Iljitsch van Beijnum
  • Date: Mon Jan 03 10:55:49 2005 
On 3-jan-05, at 16:29, J. Oquendo wrote:
To prevent ARP or ND spoofing attack you should have L2 switch support to
it! Or you can use static ARP or ND entries, which is rather difficult to
maintain.


Funny you should mention this I thought about this but figure the
following, regardless of VLAN/PVLAN/ settings, switches still need to
build an ARP table




Yes, and that's why you need static MAC forwarding tables too.



If you can then enforce the port->MAC->IP mappings you're pretty much
bullet proof. I know there are switches that can handle the port->MAC
part. An alternative for the MAC->IP part would be the TCP MD5 option
or IPsec.