On 11/4/18 18:45, Rabadan, Jorge (Nokia - US/Mountain View) wrote: > [JORGE] not sure what you mean by "negative caching". If you refer to the ability of certain routers/servers to inject dummy MACs into the ARP caches so that hosts stop ARPing for absent IPs, the solution actually may help, since there is an option to suppress unknown ARP-Requests/NS flooding explained in Section 4.5. Should you choose to enable this option on the Proxy-ARP/ND functions of the PEs, you no longer flood unknown ARP-Requests, and therefore there is no longer need to inject those dummy MAC addresses to stop the flooding. A host may keep ARP'ing for an absent host, but at least those messages won't bother the entire BD. I added this text in the security section: > -------------- > "The procedures in this document reduce the amount of ARP/ND message > flooding, which in itself provides a protection to "slow path" > software processors of routers and Tenant Systems in large BDs. The > ARP/ND requests that are replied by the Proxy-ARP/ND function (hence > not flooded) are normally targeted to existing hosts in the BD. > ARP/ND requests targeted to absent hosts are still normally flooded, > however the suppression of Unknown ARP-Requests and NS messages > described in Section 4.5. can provide an additional level of security > against ARP-Requests/NS messages issued to non-existing hosts." > -------------- Thanks. I re-read section 4.5, and I think this does indeed address my comment. The addition of this text is appreciated. Joe
