[c-nsp] IPV6 in general was Re: Large networks
Grzegorz Janoszka
Grzegorz at Janoszka.pl
Sun Aug 30 12:17:45 EDT 2009
Gert Doering wrote:
> What exactly is "incredibly insecure" in *sending* RAs?
>
> I could understand if a host does not want to *receive* RAs, if the
> network environment is not trusted and there is no SeND available yet.
Maybe nothing not that wrong with sending, but I recently compared DHCP
and ND RA. DHCP address offer is very easy to be matched by an l3
access-list. So you can make an access-list on a switch to filter all
DHCP offers on other ports than your uplink.
But try to do it with RA. As far as I checked it is not that easy.
Normal l3 acl would not match RA messages allowing other ND traffic.
--
Grzegorz Janoszka
More information about the cisco-nsp
mailing list