[c-nsp] Disable ARP

Gert Doering gert at greenie.muc.de
Fri Aug 25 06:17:52 EDT 2006


Hi,

On Fri, Aug 25, 2006 at 01:28:33PM +0400, Alex A. Pavlenko wrote:
> The main goal is to increase security - to forbid customers
> to steal ip addresses. 

Last century's approach.

This century, one would just give every customer their own L3 segment, with
their own address pool, and enable uRPF filtering on the router.  That way,
you won't have to worry about customers stealing each other's IP addresses,
without having to manually maintain anything.

(Besides: disabling ARP on the router won't help you at all against
"one customer in the same L3 segment attacking a different customer in the
same L3 segment with spoofed IP addresses").

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the cisco-nsp mailing list