Home page logo
/

nanog logo nanog mailing list archives

Re: Things to do to make the network better
From: Havard.Eidnes () runit sintef no
Date: Thu, 08 Jan 1998 15:07:12 +0100

We have routers with ISDP PRI links, where the routing
information arrives from RADIUS via a CHAP login. There are 600
routed objects in the RADIUS database, as well as 10k+
non-routed (dynamic IP) objects. Every ISDN router therefore
has a potential 600 directly attached neighbors; although no
router has more than 60 links at any one time. Some common
equipment may handle this just barely; other is wholly
inadequate.

It sounds to me like what you would really like was something
akin to the "RPF check" as done on multicast traffic for unicast
traffic on your customer routers, perhaps as a per-interface
option.  If this feature existed you would not accept a packet
from a given source and incoming interface unless the box in
question has a route for the source pointing back out the same
interface.  That way you would not get the administrative burden
of maintaining access lists and ensuring they're always in synch
with the local view of the routing system.

Doing this on the customer border routers appears to me to be the
obviously right place.  Doing this in a place where asymmetrical
routing is the norm (as appears to be the case in the current
backbones) is obviously a non-starter.

I think this has been mentioned several times to various providers
in the past without this feature materializing, but one can still
hope.  (It's not unconceivable that the current access products have
not been engineered with sufficient CPU resources to be able to even
perform this task...)

- HÃ¥vard


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault