From: Swan, Jay (jswan@sugf.com)
Date: Mon Dec 17 2007 - 19:12:41 ART
Oops, typo on the IPSG. Let's try again:
IPSG: Makes sure you are sending IP packets from the IP address that the
DHCP server (or IPSG binding DB) gave you. In other words, it does a
sanity check between the source MAC, source IP, and the DHCP binding DB.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Swan, Jay
Sent: Monday, December 17, 2007 2:34 PM
To: wim.depauw@getronics.com; ccielab@groupstudy.com
Subject: RE: Dynamic ARP inspection versus IP source guard
They aren't quite the same.
IPSG: Makes sure you are sending IP packets from the MAC address that
the DHCP server (or IPSG binding DB) gave you.
DAI: Makes sure you don't send gratuitous ARP replies (which aren't IP
packets, remember) for an IP address that's not yours.
Other methods of preventing spoofing include ACLs and applying uRPF on
your edge L3 interfaces. The problem with these approaches is that they
don't prevent gratuitous ARP attacks and they don't prevent a device
from spoofing a different IP on its own subnet.
Jay
#17783
This archive was generated by hypermail 2.1.4 : Tue Jan 01 2008 - 12:04:31 ARST