How to preempt rogue RAs?

[Jussi Peltola]

On Fri, Nov 05, 2010 at 06:23:12AM +0100, Mikael Abrahamsson wrote:
> Intelligent L2 equipment doing forced-forwarding/private vlan and using  
> local-proxy-arp in the L3 equipment makes all traffic go through the  
> router even though it's within the same vlan/subnet.
>
> There should be no trust with customers, they should be treated as  
> unsecure and all care should be taken to protect customers from other  
> customers when it comes to arp spoofing, sourcing of packets that hasn't  
> been handed out to them etc. Anything else is reckless and will cause  
> problems down the line.

But you still need dhcp snooping and ipsg to avoid source address and
non-gateway arp spoofing. And it won't stop users from denying service
to others if they decide to use the same mac address, but that's yet
another can of worms especially with dhcp.

With separate (unnumbered) vlans per customer you can work around these
problems, since every user really gets their own separate L2 segment. I
find the vlan interfaces much less cumbersome than locking the mac
address per port, which is pretty much the only way to make a private
vlan secure even in theory (how does the L3 device know who originated
the packet without that?)

With QinQ a vlan per customer is pretty manageable with a svlan per
switch or per stack and a vlan per port. It's also quite convenient to
be able to give the user any kind of service via that vlan by just
configuring the terminating L3 device; you almost never have to touch
the devices in the middle.