On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote: > > On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote: > > > On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote: > >> On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote: > >>> Particularly good L2 switches also have > >>> DAI or "IP Source guard" IPv4 functions, which when properly > >>> enabled, can foil certain L2 ARP and IPv4 source address spoofing > >>> attacks, respectively. > >>> > >> > >>> e.g. Source IP address of packet does not match one of the DHCP leases > >>> issued to that port -- then drop the packet. > >>> > >> > >> Meh... I can see many cases where that might be more of a bug than feature. > >> > >> Especially in environments where loops may be possible and the DHCP lease > >> might > >> have come over a different path than the port in question during some > >> network event. > > > > You're only supposed to use those features on the port directly > > connected to the end-system, or to a few end-systems via an unmanaged > > office switch that doesn't have redundant uplinks. I.e. edge ports. > > In a lot of cases, enforcing that all address assignments are via DHCP can > still be > counter-productive. Especially in IPv6.
If a specific managed environment provides DHCPv6 and doesn't provide SLAAC, and the policies of said environment forbid static addressing, how can enforcing the use of DHCPv6 be counter-productive?
