On Jan 6, 2011, at 7:24 AM, Pete Lumbis wrote: > Off the top of my head I think the best bet would be Ipv6 ACLs that allow > multicast ospf packets and only unicast ospf packets from known > neighbors.
The biggest win in this regard is all the standard hardening/access BCPs for network infrastructure (iACLs, CoPP, DCN, et. al.), along with passiving OSPF on interfaces serving access networks. If an attacker has reached the point that he's able to perturb/abuse the IGP sessions between routers in one's network, one has much more basic security problems than worrying about IPv6/OSPFv3 multicast filtering esoterica, heh. ------------------------------------------------------------------------ Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/