Re: Cable Modem [really responsible engineering]

[miquels () cistron-office nl (Miquel van Smoorenburg)]

In article <20010626202013.A23709 () HiWAAY net>,
Chris Adams  <cmadams () hiwaay net> wrote:
> Once upon a time, Miquel van Smoorenburg <miquels () cistron-office nl> said:
> > When the BRAS requests config info when the circuit goes up (using
> > radius) or when it acts as a DHCP relay, it includes the VPI/VCI
> > of the ATM channel in the request. That means that you can assign
> > IP addresses based on the physical connection rather than the MAC
> > address, and this is what we do [well, will do soon anyway ;)]
>
> Okay, but how do you keep the end user from putting a different IP in
> their computer?

The BRAS equipment we use, redback SMSes, can filter out IP addresses
with invalid source addresses. Like cisco's ip verify unicast reverse-path

> Also, how do you prevent the user from trying to forge someone else's
> IP address or even MAC address in outgoing packets?

Like I said, the SMSes we use filter IP, and it doesn't use real
bridging even within the same subnet, it does proxy arp. So if a
customer arps for another IP in the same subnet, the SMS will answer
the ARP request itself, it will not be bridged.

Unfortunately I have not been able to play with Cisco's 6400
series yet to see if they offer the same functionality - not that
we're not happy with our current equipment but I'd like to know
a bit more about how other equipment behaves. However from the
docs I get the impression that Cisco calls this IRB.

> Without protecting
> against forged packets, I don't see how to provide accountability when
> someone attacks.

Very true. The BRAS must be able to protect from IP spoofing and
it must do proxy arp instead of real bridging.

Mike.