On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote:
On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote:
On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
Particularly good L2 switches also have DAI or "IP Source guard" IPv4 functions, which when properly enabled, can foil certain L2 ARP and IPv4 source address spoofing attacks, respectively.
e.g. Source IP address of packet does not match one of the DHCP leases issued to that port -- then drop the packet.
Meh... I can see many cases where that might be more of a bug than feature.
Especially in environments where loops may be possible and the DHCP lease might have come over a different path than the port in question during some network event.
You're only supposed to use those features on the port directly connected to the end-system, or to a few end-systems via an unmanaged office switch that doesn't have redundant uplinks. I.e. edge ports.
In a lot of cases, enforcing that all address assignments are via DHCP can still be counter-productive. Especially in IPv6. Owen