Home page logo

nanog logo nanog mailing list archives

Re: Things to do to make the network better
From: Morten Reistad <mrr () norway eu net>
Date: Thu, 08 Jan 1998 14:24:36 +0100

In message <Pine.LNX.3.95.980107222357.167l-100000 () inorganic5 fdt net>, Jon Lewis writes:
On Wed, 7 Jan 1998, Morten Reistad wrote:

I am network manager for a pretty much medium-sized ISP, with around
1700 internal network blocks; 600 of which come from dynamic sources.
(RADIUS; variuos routing protocols). Given that a stock router will
run out of filter lists long before the 600 mark I see major scaling
problems here. (Outside of our network we show around 30 BGP network

You need to do this as close to the edge as possible.  Do you have routers
with 600 customer links directly connected?  If you did, then it might
only be feasible to require that your customers filter their traffic such
that they cannot send bogus source traffic to you...and have stiff
penalties in their service contracts for failure to maintain such filters.

We have routers with ISDP PRI links, where the routing information
arrives from RADIUS via a CHAP login. There are 600 routed objects
in the RADIUS database, as well as 10k+ non-routed (dynamic IP)
objects. Every ISDN router therefore has a potential 600 directly
attached neighbors; although no router has more than 60 links at any
one time. Some common equipment may handle this just barely; other is
wholly inadequate. 

We DO filter on the other edge too, (towards peering partners).
We currently have approx 10 megabit worth of external traffic in
two locations; and filtering works. I doubt we can do this with 
10 times this traffic. 

Because of this filtering spoofing will be between clients that have a contractual 
relationship with us; and we can easily go after them in the judicial system; 
and we have this covered in the contracts. All routers we ship have anti-
spoofing filterlists configured too, but we only have such a relation
to around half of our customers.

My point is that both approaches have huge scaling problems; easily evident
for a medium-size ISP. (Although we are part of EUnet International the national
operations are pretty autonomous). If things are this evident for us, it must
be a nightmare for the bigger ISP's with lots more routed objects.

I would appreciate some thought on how to address this issue on a 
bigger scale. 

 Jon Lewis <jlewis () fdt net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____

===   /     /  /   __   ___  _/_  ===  Morten Reistad, Network Manager
===  /---  /  /  /  /  /__/  /    ===  EUnet Norway AS, Sandakerveien 64, Oslo
=== /___  /__/  /  /  /__   /     === <Morten.Reistad () Norway EU net>
=== Connecting Europe since 1982  ===  phone +47 2209 2940

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]