Things to do to make the network better
Morten Reistad
mrr at norway.eu.net
Thu Jan 8 14:35:56 UTC 1998
In message <199801081407.PAA10688 at vader.runit.sintef.no>, Havard.Eidnes at runit.sintef.no writes:
> > We have routers with ISDP PRI links, where the routing
> > information arrives from RADIUS via a CHAP login. There are 600
> > routed objects in the RADIUS database, as well as 10k+
> > non-routed (dynamic IP) objects. Every ISDN router therefore
> > has a potential 600 directly attached neighbors; although no
> > router has more than 60 links at any one time. Some common
> > equipment may handle this just barely; other is wholly
> > inadequate.
>
> It sounds to me like what you would really like was something
> akin to the "RPF check" as done on multicast traffic for unicast
> traffic on your customer routers, perhaps as a per-interface
> option. If this feature existed you would not accept a packet
> from a given source and incoming interface unless the box in
> question has a route for the source pointing back out the same
> interface. That way you would not get the administrative burden
> of maintaining access lists and ensuring they're always in synch
> with the local view of the routing system.
Or possibly as a RADIUS option, where we really want address integrity;
not a filter list; and are willing to accept packets with source
addresses fitting a set of ip aggregates.
>
> Doing this on the customer border routers appears to me to be the
> obviously right place. Doing this in a place where asymmetrical
> routing is the norm (as appears to be the case in the current
> backbones) is obviously a non-starter.
Can you trust the customer border router ? I personally don't.
Anyone can go out and buy a router and hook it up to the internet;
even getting a routed block of addresses doesn't cost all that much.
>
> I think this has been mentioned several times to various providers
> in the past without this feature materializing, but one can still
> hope. (It's not unconceivable that the current access products have
> not been engineered with sufficient CPU resources to be able to even
> perform this task...)
>
> - Håvard
--
___
=== / / / __ ___ _/_ === Morten Reistad, Network Manager
=== /--- / / / / /__/ / === EUnet Norway AS, Sandakerveien 64, Oslo
=== /___ /__/ / / /__ / === <Morten.Reistad at Norway.EU.net>
=== Connecting Europe since 1982 === phone +47 2209 2940
More information about the NANOG
mailing list