Things to do to make the network better

• Previous message (by thread): Things to do to make the network better
• Next message (by thread): Things to do to make the network better
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <Pine.LNX.3.95.980107222357.167l-100000 at inorganic5.fdt.net>, Jon Lewis writes:
> On Wed, 7 Jan 1998, Morten Reistad wrote:
> 
> > I am network manager for a pretty much medium-sized ISP, with around
> > 1700 internal network blocks; 600 of which come from dynamic sources.
> > (RADIUS; variuos routing protocols). Given that a stock router will
> > run out of filter lists long before the 600 mark I see major scaling
> > problems here. (Outside of our network we show around 30 BGP network
> 
> You need to do this as close to the edge as possible.  Do you have routers
> with 600 customer links directly connected?  If you did, then it might
> only be feasible to require that your customers filter their traffic such
> that they cannot send bogus source traffic to you...and have stiff
> penalties in their service contracts for failure to maintain such filters.

We have routers with ISDP PRI links, where the routing information
arrives from RADIUS via a CHAP login. There are 600 routed objects
in the RADIUS database, as well as 10k+ non-routed (dynamic IP)
objects. Every ISDN router therefore has a potential 600 directly
attached neighbors; although no router has more than 60 links at any
one time. Some common equipment may handle this just barely; other is
wholly inadequate. 

We DO filter on the other edge too, (towards peering partners).
We currently have approx 10 megabit worth of external traffic in
two locations; and filtering works. I doubt we can do this with 
10 times this traffic. 

Because of this filtering spoofing will be between clients that have a contractual 
relationship with us; and we can easily go after them in the judicial system; 
and we have this covered in the contracts. All routers we ship have anti-
spoofing filterlists configured too, but we only have such a relation
to around half of our customers.

My point is that both approaches have huge scaling problems; easily evident
for a medium-size ISP. (Although we are part of EUnet International the national
operations are pretty autonomous). If things are this evident for us, it must
be a nightmare for the bigger ISP's with lots more routed objects.

I would appreciate some thought on how to address this issue on a 
bigger scale. 

> 
> ------------------------------------------------------------------
>  Jon Lewis <jlewis at fdt.net>  |  Unsolicited commercial e-mail will
>  Network Administrator       |  be proof-read for $199/message.
>  Florida Digital Turnpike    |  
> ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
> 
--
       ___
===   /     /  /   __   ___  _/_  ===  Morten Reistad, Network Manager
===  /---  /  /  /  /  /__/  /    ===  EUnet Norway AS, Sandakerveien 64, Oslo
=== /___  /__/  /  /  /__   /     === <Morten.Reistad at Norway.EU.net>
=== Connecting Europe since 1982  ===  phone +47 2209 2940

• Previous message (by thread): Things to do to make the network better
• Next message (by thread): Things to do to make the network better
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]