Home page logo

nanog logo nanog mailing list archives

Re: Things to do to make the network better
From: Morten Reistad <mrr () norway eu net>
Date: Thu, 08 Jan 1998 15:35:56 +0100

In message <199801081407.PAA10688 () vader runit sintef no>, Havard.Eidnes () runit sintef no writes:
We have routers with ISDP PRI links, where the routing
information arrives from RADIUS via a CHAP login. There are 600
routed objects in the RADIUS database, as well as 10k+
non-routed (dynamic IP) objects. Every ISDN router therefore
has a potential 600 directly attached neighbors; although no
router has more than 60 links at any one time. Some common
equipment may handle this just barely; other is wholly

It sounds to me like what you would really like was something
akin to the "RPF check" as done on multicast traffic for unicast
traffic on your customer routers, perhaps as a per-interface
option.  If this feature existed you would not accept a packet
from a given source and incoming interface unless the box in
question has a route for the source pointing back out the same
interface.  That way you would not get the administrative burden
of maintaining access lists and ensuring they're always in synch
with the local view of the routing system.

Or possibly as a RADIUS option, where we really want address integrity;
not a filter list; and are willing to accept packets with source
addresses fitting a set of ip aggregates.

Doing this on the customer border routers appears to me to be the
obviously right place.  Doing this in a place where asymmetrical
routing is the norm (as appears to be the case in the current
backbones) is obviously a non-starter.

Can you trust the customer border router ? I personally don't.
Anyone can go out and buy a router and hook it up to the internet; 
even getting a routed block of addresses doesn't cost all that much.

I think this has been mentioned several times to various providers
in the past without this feature materializing, but one can still
hope.  (It's not unconceivable that the current access products have
not been engineered with sufficient CPU resources to be able to even
perform this task...)

- HÃ¥vard
===   /     /  /   __   ___  _/_  ===  Morten Reistad, Network Manager
===  /---  /  /  /  /  /__/  /    ===  EUnet Norway AS, Sandakerveien 64, Oslo
=== /___  /__/  /  /  /__   /     === <Morten.Reistad () Norway EU net>
=== Connecting Europe since 1982  ===  phone +47 2209 2940

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]