> On Oct 26, 2020, at 1:05 PM, Ted Lemon <mel...@fugue.com> wrote: > > On Oct 26, 2020, at 12:59 PM, Toerless Eckert <t...@cs.fau.de> wrote: >> The networks where i am worried are not home networks, >> but something like an office park network, where supposedly each >> tenant (company) should have gotten their disjoint L2 domains, ... and then >> they didn't. And one of the tenants has a "funny" network engineer/hacker. > > That’s pretty clearly the thing to fix. >
There’s plenty of bad engineering out there, but when on a shared lan without client isolation enabled (Eg: wireless) many bad things can be done. I think explaining that the threat domain is the layer-2 and that administrators should consider what services are available, eg: do you accept dhcp server on the network, what devices are permitted to send RA’s etc all become part of the question.. Much of this is just operational guidance in how to run a good network which prevents these types of bad behaviors and consequences from exceeding their blast radius. - Jared _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
