Gert Doering wrote:
What exactly is "incredibly insecure" in *sending* RAs?
I could understand if a host does not want to *receive* RAs, if the
network environment is not trusted and there is no SeND available yet.
Maybe nothing not that wrong with sending, but I recently compared DHCP
and ND RA. DHCP address offer is very easy to be matched by an l3
access-list. So you can make an access-list on a switch to filter all
DHCP offers on other ports than your uplink.
But try to do it with RA. As far as I checked it is not that easy.
Normal l3 acl would not match RA messages allowing other ND traffic.
--
Grzegorz Janoszka
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
