North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Cable Modem [really responsible engineering]
In article <[email protected]>, Chris Adams <[email protected]> wrote: >Once upon a time, Miquel van Smoorenburg <[email protected]> said: >> When the BRAS requests config info when the circuit goes up (using >> radius) or when it acts as a DHCP relay, it includes the VPI/VCI >> of the ATM channel in the request. That means that you can assign >> IP addresses based on the physical connection rather than the MAC >> address, and this is what we do [well, will do soon anyway ;)] > >Okay, but how do you keep the end user from putting a different IP in >their computer? The BRAS equipment we use, redback SMSes, can filter out IP addresses with invalid source addresses. Like cisco's ip verify unicast reverse-path >Also, how do you prevent the user from trying to forge someone else's >IP address or even MAC address in outgoing packets? Like I said, the SMSes we use filter IP, and it doesn't use real bridging even within the same subnet, it does proxy arp. So if a customer arps for another IP in the same subnet, the SMS will answer the ARP request itself, it will not be bridged. Unfortunately I have not been able to play with Cisco's 6400 series yet to see if they offer the same functionality - not that we're not happy with our current equipment but I'd like to know a bit more about how other equipment behaves. However from the docs I get the impression that Cisco calls this IRB. >Without protecting >against forged packets, I don't see how to provide accountability when >someone attacks. Very true. The BRAS must be able to protect from IP spoofing and it must do proxy arp instead of real bridging. Mike.
|