IPv6 equivalent to DHCP Option 82 for geolocating customer MACs to certain ports of Multi-port Layer 2 demarcation devices
Gert Doering
gert at space.net
Sun May 8 11:57:52 CEST 2011
Hi
On Sun, May 08, 2011 at 11:43:36AM +0200, Florian Weimer wrote:
> * Gert Doering:
>
> > SeND alone will validate the IPv6-to-MAC layer mapping, which nicely
> > solves all attacks against redirecting IPv6 packets to a different
> > MAC address. Combine with static MAC addressing at switch ports
> > (port-security or static) and you have solved the problem of one
> > customer stealing another customer's IPv6 packets.
>
> You still need unicast flood protection.
What's the attack that would be prevented by that? ND cache overflowing?
> Does this type of static address configuration really work in
> practice? I would expect to cause it trouble with mobile devices and
> virtualization.
Well, it depends on what type of devices you have there, and what the
attacks are that you want to defend against.
Gert Doering
-- NetMaster
--
did you enable IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20110508/a17bf1ab/attachment.sig>
More information about the ipv6-ops
mailing list