On Wed, Jan 5, 2011 at 1:02 PM, TJ <trejrco@gmail.com> wrote:
Many would argue that the version of IP is irrelevant, if you are permitting external hosts the ability to scan your internal network in an unrestricted fashion (no stateful filtering or rate limiting) you have already lost, you
How do you propose to rate-limit this scanning traffic? More router knobs are needed. This also does not solve problems with malicious hosts on the LAN. A stateful firewall on every router interface has been suggested already on this thread. It is unrealistic.
Even granting that, for the sake of argument - it seems like it would not be hard for $vendor to have some sort of "emergency garbage collection" routines within their NDP implementations ... ?
How do you propose the router know what entries are "garbage" and which are needed? Eliminating active, "good" entries to allow for more churn would make the problem much worse, not better. -- Jeff S Wheeler <jsw@inconcepts.biz> +1-212-981-0607 Sr Network Operator / Innovative Network Concepts