On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote:
On 4/22/12, Grant Ridder <shortdudey123@gmail.com> wrote:
Most switches nowadays have dhcpv4 detection that can be enabled for port
Yes. Many L2 switches have DHCPv4 "Snooping", where some port(s) can be so designated as trusted DHCP server ports, for certain Virtual LANs; and dhcp messages can be detected and suppressed from unauthorized edge ports.
Sounds suspiciously like IPv6 RA Guard, no?
Particularly good L2 switches also have DAI or "IP Source guard" IPv4 functions, which when properly enabled, can foil certain L2 ARP and IPv4 source address spoofing attacks, respectively.
e.g. Source IP address of packet does not match one of the DHCP leases issued to that port -- then drop the packet.
Meh... I can see many cases where that might be more of a bug than feature. Especially in environments where loops may be possible and the DHCP lease might have come over a different path than the port in question during some network event.
As for IPv6; rfc6105; you have ipv6 nd raguard
and IOS NDP inspection.
However, there are caveats that should be noted. RA guard implementations can be trivially fooled by the use of crafted packets.
Frankly, I suggest dropping any RA that doesn't fit in a single packet as a simple solution to the crafted-packet issue. (The crafted packet attacks by and large depend on crafting it so that there are enough extension headers to put the RA header in the second or later fragment).
These are potentially good protections against accidental configuration errors, but not malicious attack from a general purpose computer.
If you have a malicious attack from a general purpose computer on your own LAN, you've already lost on multiple levels to some extent or other. The most effective solution at that point is to identify, locate, and excise said attacker.
Currently, IPv4 seems to win at L2 easily in regards to the level of hardware security features commonly available on L2 switches that pertain to IP.
There was a time when one probably could have argued that Novell beat IP on that basis alone. IPv4 loses when you consider that there are more than 3.2 billion people in the world. That people likely will need a minimum of 5 IP addresses each. That we also need to number infrastructure, routers, servers, sensor grids, etc. IPv4 also loses when you consider the pervasiveness of debilitated IPv4 internetworking in favor of address conservation over the last 20 years. Owen
-Grant -- -JH