[c-nsp] Disable ARP
Alex A. Pavlenko
lex at sandy.ru
Fri Aug 25 09:48:04 EDT 2006
> Hi,
>
> On Fri, Aug 25, 2006 at 01:28:33PM +0400, Alex A. Pavlenko wrote:
>> The main goal is to increase security - to forbid customers
>> to steal ip addresses.
>
> Last century's approach.
>
> This century, one would just give every customer their own L3 segment, with
> their own address pool, and enable uRPF filtering on the router. That way,
Gert,
what do you mean "their own L3 segment"? Does it mean one VLAN with
/30(assuming one computer per customer) addressing for one customer?
Alex.
> you won't have to worry about customers stealing each other's IP addresses,
> without having to manually maintain anything.
>
> (Besides: disabling ARP on the router won't help you at all against
> "one customer in the same L3 segment attacking a different customer in the
> same L3 segment with spoofed IP addresses").
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert at greenie.muc.de
> fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list