Things to do to make the network better
Morten Reistad
mrr at norway.eu.net
Thu Jan 8 13:24:36 UTC 1998
In message <Pine.LNX.3.95.980107222357.167l-100000 at inorganic5.fdt.net>, Jon Lewis writes:
> On Wed, 7 Jan 1998, Morten Reistad wrote:
>
> > I am network manager for a pretty much medium-sized ISP, with around
> > 1700 internal network blocks; 600 of which come from dynamic sources.
> > (RADIUS; variuos routing protocols). Given that a stock router will
> > run out of filter lists long before the 600 mark I see major scaling
> > problems here. (Outside of our network we show around 30 BGP network
>
> You need to do this as close to the edge as possible. Do you have routers
> with 600 customer links directly connected? If you did, then it might
> only be feasible to require that your customers filter their traffic such
> that they cannot send bogus source traffic to you...and have stiff
> penalties in their service contracts for failure to maintain such filters.
We have routers with ISDP PRI links, where the routing information
arrives from RADIUS via a CHAP login. There are 600 routed objects
in the RADIUS database, as well as 10k+ non-routed (dynamic IP)
objects. Every ISDN router therefore has a potential 600 directly
attached neighbors; although no router has more than 60 links at any
one time. Some common equipment may handle this just barely; other is
wholly inadequate.
We DO filter on the other edge too, (towards peering partners).
We currently have approx 10 megabit worth of external traffic in
two locations; and filtering works. I doubt we can do this with
10 times this traffic.
Because of this filtering spoofing will be between clients that have a contractual
relationship with us; and we can easily go after them in the judicial system;
and we have this covered in the contracts. All routers we ship have anti-
spoofing filterlists configured too, but we only have such a relation
to around half of our customers.
My point is that both approaches have huge scaling problems; easily evident
for a medium-size ISP. (Although we are part of EUnet International the national
operations are pretty autonomous). If things are this evident for us, it must
be a nightmare for the bigger ISP's with lots more routed objects.
I would appreciate some thought on how to address this issue on a
bigger scale.
>
> ------------------------------------------------------------------
> Jon Lewis <jlewis at fdt.net> | Unsolicited commercial e-mail will
> Network Administrator | be proof-read for $199/message.
> Florida Digital Turnpike |
> ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
>
--
___
=== / / / __ ___ _/_ === Morten Reistad, Network Manager
=== /--- / / / / /__/ / === EUnet Norway AS, Sandakerveien 64, Oslo
=== /___ /__/ / / /__ / === <Morten.Reistad at Norway.EU.net>
=== Connecting Europe since 1982 === phone +47 2209 2940
More information about the NANOG
mailing list