North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Things to do to make the network better
In message <[email protected]>, [email protected] writes: > > We have routers with ISDP PRI links, where the routing > > information arrives from RADIUS via a CHAP login. There are 600 > > routed objects in the RADIUS database, as well as 10k+ > > non-routed (dynamic IP) objects. Every ISDN router therefore > > has a potential 600 directly attached neighbors; although no > > router has more than 60 links at any one time. Some common > > equipment may handle this just barely; other is wholly > > inadequate. > > It sounds to me like what you would really like was something > akin to the "RPF check" as done on multicast traffic for unicast > traffic on your customer routers, perhaps as a per-interface > option. If this feature existed you would not accept a packet > from a given source and incoming interface unless the box in > question has a route for the source pointing back out the same > interface. That way you would not get the administrative burden > of maintaining access lists and ensuring they're always in synch > with the local view of the routing system. Or possibly as a RADIUS option, where we really want address integrity; not a filter list; and are willing to accept packets with source addresses fitting a set of ip aggregates. > > Doing this on the customer border routers appears to me to be the > obviously right place. Doing this in a place where asymmetrical > routing is the norm (as appears to be the case in the current > backbones) is obviously a non-starter. Can you trust the customer border router ? I personally don't. Anyone can go out and buy a router and hook it up to the internet; even getting a routed block of addresses doesn't cost all that much. > > I think this has been mentioned several times to various providers > in the past without this feature materializing, but one can still > hope. (It's not unconceivable that the current access products have > not been engineered with sufficient CPU resources to be able to even > perform this task...) > > - H�vard -- ___ === / / / __ ___ _/_ === Morten Reistad, Network Manager === /--- / / / / /__/ / === EUnet Norway AS, Sandakerveien 64, Oslo === /___ /__/ / / /__ / === <[email protected]> === Connecting Europe since 1982 === phone +47 2209 2940
|