[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPv6 RA vs DHCPv6 - The chosen one?
- Subject: IPv6 RA vs DHCPv6 - The chosen one?
- From: mohacsi at niif.hu (Mohacsi Janos)
- Date: Fri, 23 Dec 2011 22:36:44 +0100 (CET)
- In-reply-to: <CAPWAtb+NA1Sc03o9U25qXUqQFOv2=aK2WXvJvu2v48ZsXYcbfQ@mail.gmail.com>
- References: <CAE+sBxgt04Myw-MY_pck6=fS52uY25LA+vttsy0iXLrvPJBrHQ@mail.gmail.com> <[email protected]> <[email protected]> <CALFTrnM=UoWHo8oXtOSeJz7ntku9NULmWfg1N0_-1kHPCg+k+A@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <CAPWAtb+NA1Sc03o9U25qXUqQFOv2=aK2WXvJvu2v48ZsXYcbfQ@mail.gmail.com>
On Fri, 23 Dec 2011, Jeff Wheeler wrote:
> On Fri, Dec 23, 2011 at 4:13 PM, Mohacsi Janos <mohacsi at niif.hu> wrote:
>> If you can limit number of ARP/NDP entries per interfaces and you complement
>> RAGuard and DHCPv4 snooping your are done.
>
> That depends on how ARP/ND gleaning works on the box. In short, Cisco
> already has a knob to limit the number of ND entries per interface on
> some of their kit, and it is not a solution, only a damage mitigation
> measure. http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
The solution is that you monitor your device: if limits reached then you
get notified and you can resolve the problem.
Best Regards,
Janos Mohacsi
>
> --
> Jeff S Wheeler <jsw at inconcepts.biz>
> Sr Network Operator? /? Innovative Network Concepts
>
>