[c-nsp] Disable ARP
Christian Zeng
christian at zengl.net
Fri Aug 25 07:15:47 EDT 2006
* Gert Doering <gert at greenie.muc.de> wrote:
>
>On Fri, Aug 25, 2006 at 01:28:33PM +0400, Alex A. Pavlenko wrote:
>> The main goal is to increase security - to forbid customers
>> to steal ip addresses.
>
>Last century's approach.
>
>This century, one would just give every customer their own L3 segment, with
>their own address pool, and enable uRPF filtering on the router. That way,
>you won't have to worry about customers stealing each other's IP addresses,
>without having to manually maintain anything.
I second that.
Furthermore, disabling arp 'secures' only one direction - returning
traffic. Without ingress filtering, a router would accept any packet -
forged source or not - and forward it.
Having a unidirectional traffic path is worth something, isn't it? ;-)
More information about the cisco-nsp
mailing list