[c-nsp] IPV6 in general was Re: Large networks

Grzegorz Janoszka Grzegorz at Janoszka.pl
Sun Aug 30 12:17:45 EDT 2009


Gert Doering wrote:
> What exactly is "incredibly insecure" in *sending* RAs?
> 
> I could understand if a host does not want to *receive* RAs, if the
> network environment is not trusted and there is no SeND available yet.

Maybe nothing not that wrong with sending, but I recently compared DHCP 
and ND RA. DHCP address offer is very easy to be matched by an l3 
access-list. So you can make an access-list on a switch to filter all 
DHCP offers on other ports than your uplink.
But try to do it with RA. As far as I checked it is not that easy. 
Normal l3 acl would not match RA messages allowing other ND traffic.

-- 
Grzegorz Janoszka


More information about the cisco-nsp mailing list