|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Implementing anti-abuse techniques on ISP networks....
On Wed, Aug 06, 1997 at 04:00:14PM -0700, J.D. Falk wrote: > > I don't know about the "huge players", but we're an Internet Service > > Provider, not an Internet Blockage Provider. We don't allow spoofing, > > and we don't allow relaying, but we're not about to put filters > > to prevent dialup customers from connecting wherever they want. > > How 'bout to stop them from connection wherever they want, > spoofing their IP address so it looks like it's your box at > home that's hacking into the NSA instead of them? > > This is an extreme example, but hopefully it illustrates the > reason that a little simple filtering is a Good Thing[TM]. In as much as filtering each dial-up port to only allow packets from its own source address is an operational issue.. :-) I said "we don't allow spoofing". Operational question: will a Livingston Portmaster allow source IP spoofing? That is, if you have been given an address of x, can you send a packet from y? If the answer is "yes" (and I can think of a reason or two why it should be), and given the current implementation of RADIUS and its method of supplying filter rules, one immediate solution comes to mind. Set up a filter rule for every possible IP address that may be assigned, and have the RADIUS server supply the rule that goes with the Framed-IP-Address. Hmmm. -- = Christopher Masto = [email protected] = http://www.netmonger.net/ = = NetMonger Communications = finger for PGP key = $19.95/mo unlimited access = = Director of Operations = (516) 221-6664 = mailto:[email protected] = v---(cut here)---v -- [email protected] "Keep in mind that anything Kibo says makes a great sig." -- Kibo ^---(cut here)---^
|