[c-nsp] Cisco 6500/Sup720 ARP CoPP
Nick Hilliard
nick at inex.ie
Tue Feb 9 15:13:49 EST 2010
On 09/02/2010 19:37, Saku Ytti wrote:
> I think you've gathered relevant and correct data, I don't think PFC3
> supports ARP match in CoPP. So you must use MLS rate-limiter, where you
> have to remember that AFAIK this is also for transit ARP which you might be
> bridging as a switch.
so, this looks like an effective attack vector for trashing sup720 RPs then
- if you have l2 access to the device. Makes a good argument for
implementing arp sponges on core paths and edges so that this cannot be
exploited remotely.
I assume that ipv6 nd is sufficiently high up the protocol stack that it
can be managed by copp?
Nick
More information about the cisco-nsp
mailing list