Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IPv6, IPSEC and DoS

  • From: Iljitsch van Beijnum
  • Date: Mon Jan 03 10:55:49 2005

On 3-jan-05, at 16:29, J. Oquendo wrote:

To prevent ARP or ND spoofing attack you should have L2 switch support to
it! Or you can use static ARP or ND entries, which is rather difficult to
maintain.

Funny you should mention this I thought about this but figure the
following, regardless of VLAN/PVLAN/ settings, switches still need to
build an ARP table
Yes, and that's why you need static MAC forwarding tables too.

If you can then enforce the port->MAC->IP mappings you're pretty much bullet proof. I know there are switches that can handle the port->MAC part. An alternative for the MAC->IP part would be the TCP MD5 option or IPsec.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.