How to preempt rogue RAs?
Mikael Abrahamsson
swmike at swm.pp.se
Fri Nov 5 06:23:12 CET 2010
On Thu, 4 Nov 2010, Alan Batie wrote:
> One problem we have had with the PPPoE connections is MTU and sites that
> improperly filter icmp with the well known result. So we are starting
> to lean back to the vlan approach. That would allow regulated
> peer-to-peer by putting them on the same vlan then.
Intelligent L2 equipment doing forced-forwarding/private vlan and using
local-proxy-arp in the L3 equipment makes all traffic go through the
router even though it's within the same vlan/subnet.
There should be no trust with customers, they should be treated as
unsecure and all care should be taken to protect customers from other
customers when it comes to arp spoofing, sourcing of packets that hasn't
been handed out to them etc. Anything else is reckless and will cause
problems down the line.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the ipv6-ops
mailing list