[27134] in North American Network Operators' Group
Re: Yahoo! Lessons Learned
daemon@ATHENA.MIT.EDU (Daniel Senie)
Wed Feb 9 15:28:36 2000
Message-ID: <38A1CA77.B614BA28@senie.com>
Date: Wed, 09 Feb 2000 15:13:43 -0500
From: Daniel Senie <dts@senie.com>
MIME-Version: 1.0
To: Dan Hollis <goemon@sasami.anime.net>
Cc: Andrew Brown <twofsonet@graffiti.com>,
Vadim Antonov <avg@kotovnik.com>, nanog@nanog.org
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Dan Hollis wrote:
>
> On Wed, 9 Feb 2000, Daniel Senie wrote:
> > Dialup pools should also be protected. No sense in permitting problems
> > to originate on a dialup modem or ISDN line. I know the Lucent/Ascend
> > MAX product accepts an attribute Ascend-Source-IP-Check, which can be
> > applied as a part of the RADIUS authentication. Have the large dialup
> > wholesalers implemented this?
>
> When I asked a couple dialup wholesalers this question point blank last
> year, the answer was no - because their routers/term servers didn't have
> enough CPU to do filtering.
I don't buy this. The wholesalers are allowing (requiring?) filters be
added to block port 25 to all but the retail ISP's mail servers. Seems
to me if the box can handle that filter, adding one for source IP is
isn't significant additional load. The nice thing with the Ascend
attribute is the ability to apply it generically, and without the Radius
server having to know the IP address being assigned to the user.
--
-----------------------------------------------------------------
Daniel Senie dts@senie.com
Amaranth Networks Inc. http://www.amaranthnetworks.com
