Home page logo

nanog logo nanog mailing list archives

Re: IPv6 RA vs DHCPv6 - The chosen one?
From: Mohacsi Janos <mohacsi () niif hu>
Date: Fri, 23 Dec 2011 22:13:54 +0100 (CET)

On Fri, 23 Dec 2011, Tomas Podermanski wrote:

Port security does not help in that case (same as 802.1x). Port security
is a layer 2 feature so all layer 3 attacks can be still performed. That
prevents only against source MAC address spoofing. All other attacks
like DAD DOS, NDP Exhaustion, RA flooding etc. can be performed even
though the port security is implemented.

If you can limit number of ARP/NDP entries per interfaces and you complement RAGuard and DHCPv4 snooping your are done.

With "extended port security" such a features are comming...
        Best Regards,
                Janos Mohacsi

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]