[nsp-sec] How to hijack traffic for an entire Content/Ad Company - ARP Poisoning revisited - 8800.org / 6600.org badness
Chris Morrow
morrowc at ops-netman.net
Thu Mar 27 11:53:56 EDT 2008
On Thu, 27 Mar 2008, Florian Weimer wrote:
> * Chris Morrow:
>
>> so.. port-security is a solved problem for datacenters no??
>
> Port security does not stop ARP cache poisoning. You also need static
> ARP tables on all nodes within the same broadcast domain. It's
> usually easier to give a dedicated IP layer interface to each host.
> In many environments, it's a challenge to implement that.
>
don't exchange point operators have shared VLAN's with mac locking on each
port so I can't be YOU and steal/subvert your peering traffic?
> I still don't get why IEEE insists on emulating shared media networks.
> Probably, We'll still end up running ARP on 100GE networks. *sigh*
yes, hurray!
More information about the nsp-security
mailing list