On 5/10/2011 12:57 AM, Jeff Wheeler wrote:
Your suggestion has two main disadvantages: 1) it doesn't work on some platforms, because input ACL won't stop ND learn/solicit -- obviously this is bad 2) it requires you to configure a potentially large input ACL on every single interface on the box, and adjust that ACL whenever you provision more IPv6 addresses for end-hosts -- kinda like not having a control-plane filter, only worse
Might need to rewrite some portion of ND to do this, but can't a cookie be encoded in the ND packet and no state kept? That should reduce the problem to one of a packet flood which everyone already deals with now. Sorry if this has been suggested/shot down before. The ND problems keep being mentioned and I never see this proposed and it seems like an obvious solution. Robert