On Dec 23, 2011, at 1:23 PM, Jeff Wheeler wrote: > On Fri, Dec 23, 2011 at 4:13 PM, Mohacsi Janos <[email protected]> wrote: >> If you can limit number of ARP/NDP entries per interfaces and you complement >> RAGuard and DHCPv4 snooping your are done. > > That depends on how ARP/ND gleaning works on the box. In short, Cisco > already has a knob to limit the number of ND entries per interface on > some of their kit, and it is not a solution, only a damage mitigation > measure. http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf
In the real world, sufficient damage prevention/mitigation qualifies as a solution. Owen
