nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Automatic IPv6 due to broadcast

From: Jimmy Hess <mysidia () gmail com>
Date: Mon, 23 Apr 2012 00:30:09 -0500
On 4/22/12, Grant Ridder <shortdudey123 () gmail com> wrote:


Most switches nowadays have dhcpv4 detection that can be enabled for port


Yes. Many L2 switches have DHCPv4 "Snooping",  where some port(s) can
be so designated as trusted DHCP server ports, for certain Virtual
LANs; and dhcp messages can be detected and suppressed from
unauthorized edge ports.     Particularly good L2 switches also have
DAI  or  "IP Source guard"  IPv4 functions,   which when properly
enabled,  can foil certain L2 ARP  and IPv4 source  address spoofing
attacks,  respectively.

e.g. Source IP address of packet does not match one of the DHCP leases
issued to that port -- then drop the packet.


As for IPv6; rfc6105;  you have
ipv6 nd raguard

and IOS NDP inspection.

However, there are caveats that should be noted.    RA guard
implementations can be trivially fooled by the use of crafted packets.

These are potentially good protections against accidental
configuration errors, but not malicious attack from a general purpose
computer.


Currently,  IPv4  seems to win at L2 easily in regards to the level of
hardware security features commonly available on L2 switches  that
pertain to IP.




-Grant

--
-JH
Previous By Date Next
Previous By Thread Next

Current thread: