On (2010-02-09 20:13 +0000), Nick Hilliard wrote: > so, this looks like an effective attack vector for trashing sup720 RPs then > - if you have l2 access to the device. Makes a good argument for > implementing arp sponges on core paths and edges so that this cannot be > exploited remotely.
I personally choose to police all ARP, so attack vector is to congest ARP so that no new hosts can't come up, but nothing that used to work, would break. If this would be JNPR then all hosts would break after ARP timeouts, as JNPR does not refresh ARP cache on traffic. But there are plenty of attack vectors in L2, like IXP or IS-IS packets, no special rate-limiter so will go 'class-default'. > I assume that ipv6 nd is sufficiently high up the protocol stack that it > can be managed by copp? There is mls rate-limiter for ND, but that will also affect transit traffic. -- ++ytti _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/