North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: IPv6, IPSEC and DoS
- From: Iljitsch van Beijnum
- Date: Mon Jan 03 10:55:49 2005
On 3-jan-05, at 16:29, J. Oquendo wrote:
To prevent ARP or ND spoofing attack you should have L2 switch
support to
it! Or you can use static ARP or ND entries, which is rather
difficult to
maintain.
Funny you should mention this I thought about this but figure the
following, regardless of VLAN/PVLAN/ settings, switches still need to
build an ARP table
Yes, and that's why you need static MAC forwarding tables too.
If you can then enforce the port->MAC->IP mappings you're pretty much
bullet proof. I know there are switches that can handle the port->MAC
part. An alternative for the MAC->IP part would be the TCP MD5 option
or IPsec.
|
