Boyd Adamson writes: > James Carlson <[EMAIL PROTECTED]> writes: > > Peter Memishian writes: > >> That said: > >> > >> # ndd -set /dev/arp arp_probe_count 0 > >> # ndd -set /dev/arp arp_fastprobe_count 0 > >> # ndd -set /dev/arp arp_defend_interval 0 > > > > That won't actually disable DAD. If we detect conflicts on a running > > interface, we'll still take it down. There's no supported means to > > turn it completely off, and that's by intention. Networks with > > duplicate addresses are simply broken. > > This is probably a stupid question, but: > > Doesn't that provide a rather trivial DOS attack vector?
Only via ARP messages, and ARP already has no security whatsoever. If someone wants to DoS the system via ARP (and has L2 access to your network), there's nothing at all you can do about it. (The equivalent problem also exists for IPv6 ND.) -- James Carlson, Solaris Networking <[EMAIL PROTECTED]> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 _______________________________________________ networking-discuss mailing list [email protected]
