On 4/22/12, Grant Ridder <shortdudey123@gmail.com> wrote:
Most switches nowadays have dhcpv4 detection that can be enabled for port
Yes. Many L2 switches have DHCPv4 "Snooping", where some port(s) can be so designated as trusted DHCP server ports, for certain Virtual LANs; and dhcp messages can be detected and suppressed from unauthorized edge ports. Particularly good L2 switches also have DAI or "IP Source guard" IPv4 functions, which when properly enabled, can foil certain L2 ARP and IPv4 source address spoofing attacks, respectively. e.g. Source IP address of packet does not match one of the DHCP leases issued to that port -- then drop the packet. As for IPv6; rfc6105; you have ipv6 nd raguard and IOS NDP inspection. However, there are caveats that should be noted. RA guard implementations can be trivially fooled by the use of crafted packets. These are potentially good protections against accidental configuration errors, but not malicious attack from a general purpose computer. Currently, IPv4 seems to win at L2 easily in regards to the level of hardware security features commonly available on L2 switches that pertain to IP.
-Grant -- -JH