[c-nsp] IPV6 in general was Re: Large networks
TJ
trejrco at gmail.com
Mon Aug 31 07:53:36 EDT 2009
>> I disagree. Not worse than DHCP. By the way how do you distribute
>> parameters for local links?
++1
>DHCP fake offers are better filterable I think. With v6 we now use mostly
>static IP addressing. Still working for DHCP over v6.
Not really; I would (hypothetically) hand out valid addresses but point your
hosts to me for DNS resolution. Eve wins.
On the reverse side, I could manually configure my host for a "valid" IP.
Eve wins.
Filtering by address sub-ranges is a losing proposition for the most part,
low ROI.
Simply filter by the valid prefixes (uRPF) and spend the time securing your
hosts :).
Things like RA Guard help mitigate the impact of rogue RAs being sent on the
wire, and SEND/CGA (once deployable) will help a bunch as well.
MLD Snooping can help prevent some of the MITM attacks as well.
... Moving forward, I'd also like to see IPv6 versions of things like
Dynamic ARP inspection, DHCP Guard ...
/TJ
More information about the cisco-nsp
mailing list