On Apr 23, 2012, at 8:23 AM, Chuck Anderson wrote: > On Mon, Apr 23, 2012 at 06:38:09AM -0700, Owen DeLong wrote: >> >> On Apr 23, 2012, at 6:25 AM, Chuck Anderson wrote: >> >>> On Mon, Apr 23, 2012 at 12:24:53AM -0700, Owen DeLong wrote: >>>> On Apr 22, 2012, at 10:30 PM, Jimmy Hess wrote: >>>>> Particularly good L2 switches also have >>>>> DAI or "IP Source guard" IPv4 functions, which when properly >>>>> enabled, can foil certain L2 ARP and IPv4 source address spoofing >>>>> attacks, respectively. >>>>> >>>> >>>>> e.g. Source IP address of packet does not match one of the DHCP leases >>>>> issued to that port -- then drop the packet. >>>>> >>>> >>>> Meh... I can see many cases where that might be more of a bug than feature. >>>> >>>> Especially in environments where loops may be possible and the DHCP lease >>>> might >>>> have come over a different path than the port in question during some >>>> network event. >>> >>> You're only supposed to use those features on the port directly >>> connected to the end-system, or to a few end-systems via an unmanaged >>> office switch that doesn't have redundant uplinks. I.e. edge ports. >> >> In a lot of cases, enforcing that all address assignments are via DHCP can >> still be >> counter-productive. Especially in IPv6. > > If a specific managed environment provides DHCPv6 and doesn't provide > SLAAC, and the policies of said environment forbid static addressing, > how can enforcing the use of DHCPv6 be counter-productive?
That's a lot of ifs. I said in a lot of cases. I didn't say in all cases. If you satisfy all of your ifs, then it's not one of the cases of which I speak. Owen
