Home page logo

nanog logo nanog mailing list archives

Re: IPv6 RA vs DHCPv6 - The chosen one?
From: Mohacsi Janos <mohacsi () niif hu>
Date: Fri, 23 Dec 2011 22:36:44 +0100 (CET)

On Fri, 23 Dec 2011, Jeff Wheeler wrote:

On Fri, Dec 23, 2011 at 4:13 PM, Mohacsi Janos <mohacsi () niif hu> wrote:
If you can limit number of ARP/NDP entries per interfaces and you complement
RAGuard and DHCPv4 snooping your are done.

That depends on how ARP/ND gleaning works on the box.  In short, Cisco
already has a knob to limit the number of ND entries per interface on
some of their kit, and it is not a solution, only a damage mitigation
measure.  http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf

The solution is that you monitor your device: if limits reached then you get notified and you can resolve the problem.
        Best Regards,
                Janos Mohacsi

Jeff S Wheeler <jsw () inconcepts biz>
Sr Network Operator  /  Innovative Network Concepts

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]