On 06/23/2011 10:30 PM, David Farmer wrote: >> There probably is no single solution. But let's consider the >> solution Mark proposed: use the fact that you control the >> infrastructure to control the flow of packets on the network in such >> a way that rogue RAs cannot reach leaf nodes. The reason I object >> to this solution, in addition to the fact that it breaks multicast, >> is that it's a firewall solution: the client doesn't know it's safe, >> and as soon as it connects to a network that's not protected in this >> way, it's vulnerable. But the model of using infrastructure control >> as a credential is interesting. > > I don't think of RA-Guard and DHCP-Guard filters as security measures, > they are simply network management and operations techniques. They > don't make the network more secure, but they can make operating some > networks much easier.
If they can mitigate specific attack vectors, they do make the network more secure. Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------