North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Things to do to make the network better

  • From: Morten Reistad
  • Date: Thu Jan 08 09:41:27 1998

In message <[email protected]>, [email protected] writes:
> > We have routers with ISDP PRI links, where the routing
> > information arrives from RADIUS via a CHAP login. There are 600
> > routed objects in the RADIUS database, as well as 10k+
> > non-routed (dynamic IP) objects. Every ISDN router therefore
> > has a potential 600 directly attached neighbors; although no
> > router has more than 60 links at any one time. Some common
> > equipment may handle this just barely; other is wholly
> > inadequate.
> 
> It sounds to me like what you would really like was something
> akin to the "RPF check" as done on multicast traffic for unicast
> traffic on your customer routers, perhaps as a per-interface
> option.  If this feature existed you would not accept a packet
> from a given source and incoming interface unless the box in
> question has a route for the source pointing back out the same
> interface.  That way you would not get the administrative burden
> of maintaining access lists and ensuring they're always in synch
> with the local view of the routing system.

Or possibly as a RADIUS option, where we really want address integrity;
not a filter list; and are willing to accept packets with source
addresses fitting a set of ip aggregates.

> 
> Doing this on the customer border routers appears to me to be the
> obviously right place.  Doing this in a place where asymmetrical
> routing is the norm (as appears to be the case in the current
> backbones) is obviously a non-starter.

Can you trust the customer border router ? I personally don't.
Anyone can go out and buy a router and hook it up to the internet; 
even getting a routed block of addresses doesn't cost all that much.

> 
> I think this has been mentioned several times to various providers
> in the past without this feature materializing, but one can still
> hope.  (It's not unconceivable that the current access products have
> not been engineered with sufficient CPU resources to be able to even
> perform this task...)
> 
> - Håvard
--
       ___
===   /     /  /   __   ___  _/_  ===  Morten Reistad, Network Manager
===  /---  /  /  /  /  /__/  /    ===  EUnet Norway AS, Sandakerveien 64, Oslo
=== /___  /__/  /  /  /__   /     === <[email protected]>
=== Connecting Europe since 1982  ===  phone +47 2209 2940