Cable Modem [really responsible engineering]
Miquel van Smoorenburg
miquels at cistron-office.nl
Wed Jun 27 11:34:27 UTC 2001
In article <20010626202013.A23709 at HiWAAY.net>,
Chris Adams <cmadams at hiwaay.net> wrote:
>Once upon a time, Miquel van Smoorenburg <miquels at cistron-office.nl> said:
>> When the BRAS requests config info when the circuit goes up (using
>> radius) or when it acts as a DHCP relay, it includes the VPI/VCI
>> of the ATM channel in the request. That means that you can assign
>> IP addresses based on the physical connection rather than the MAC
>> address, and this is what we do [well, will do soon anyway ;)]
>
>Okay, but how do you keep the end user from putting a different IP in
>their computer?
The BRAS equipment we use, redback SMSes, can filter out IP addresses
with invalid source addresses. Like cisco's ip verify unicast reverse-path
>Also, how do you prevent the user from trying to forge someone else's
>IP address or even MAC address in outgoing packets?
Like I said, the SMSes we use filter IP, and it doesn't use real
bridging even within the same subnet, it does proxy arp. So if a
customer arps for another IP in the same subnet, the SMS will answer
the ARP request itself, it will not be bridged.
Unfortunately I have not been able to play with Cisco's 6400
series yet to see if they offer the same functionality - not that
we're not happy with our current equipment but I'd like to know
a bit more about how other equipment behaves. However from the
docs I get the impression that Cisco calls this IRB.
>Without protecting
>against forged packets, I don't see how to provide accountability when
>someone attacks.
Very true. The BRAS must be able to protect from IP spoofing and
it must do proxy arp instead of real bridging.
Mike.
More information about the NANOG
mailing list