[c-nsp] IPSG vs DAI, is there an use case for IPSG?
Phil Mayers
p.mayers at imperial.ac.uk
Tue Mar 13 04:48:06 EDT 2012
On 03/13/2012 07:24 AM, Shanawaz Batcha wrote:
> because he doesnot send any DHCP packets. But Dynamic arp inspection will
> catch him because he cannot do any ARP replies. And other machines will
> require his arp reply to communicate to him. So static or spoofed IP
> addresses will fail.
>
> Then I am missing the point of why the IPSG is needed?
Yes.
Many attacks do not require (indeed, do not want) a reply packet. It's
enough to just be able to emit the IP packet.
For example: sending DNS queries with a source IP that exists in the
real world, causing the real owner of the IP to be overwhelmed with DNS
packets i.e. DNS amplification attack.
Many of those same attacks can be stopped at the router by uRPF, but
some may not be; intra-subnet spoofing may be a valuable attack vector
in some cases.
Certainly DAI stops many layer2 attacks. But not all.
More information about the cisco-nsp
mailing list