[39161] in North American Network Operators' Group
Re: Cable Modem [really responsible engineering]
daemon@ATHENA.MIT.EDU (Miquel van Smoorenburg)
Wed Jun 27 07:35:01 2001
To: nanog@merit.edu
From: miquels@cistron-office.nl (Miquel van Smoorenburg)
Date: Wed, 27 Jun 2001 11:34:27 +0000 (UTC)
Message-ID: <9hcgc3$7a2$1@ncc1701.cistron.net>
X-Complaints-To: abuse@cistron.nl
Errors-To: owner-nanog-outgoing@merit.edu
In article <20010626202013.A23709@HiWAAY.net>,
Chris Adams <cmadams@hiwaay.net> wrote:
>Once upon a time, Miquel van Smoorenburg <miquels@cistron-office.nl> said:
>> When the BRAS requests config info when the circuit goes up (using
>> radius) or when it acts as a DHCP relay, it includes the VPI/VCI
>> of the ATM channel in the request. That means that you can assign
>> IP addresses based on the physical connection rather than the MAC
>> address, and this is what we do [well, will do soon anyway ;)]
>
>Okay, but how do you keep the end user from putting a different IP in
>their computer?
The BRAS equipment we use, redback SMSes, can filter out IP addresses
with invalid source addresses. Like cisco's ip verify unicast reverse-path
>Also, how do you prevent the user from trying to forge someone else's
>IP address or even MAC address in outgoing packets?
Like I said, the SMSes we use filter IP, and it doesn't use real
bridging even within the same subnet, it does proxy arp. So if a
customer arps for another IP in the same subnet, the SMS will answer
the ARP request itself, it will not be bridged.
Unfortunately I have not been able to play with Cisco's 6400
series yet to see if they offer the same functionality - not that
we're not happy with our current equipment but I'd like to know
a bit more about how other equipment behaves. However from the
docs I get the impression that Cisco calls this IRB.
>Without protecting
>against forged packets, I don't see how to provide accountability when
>someone attacks.
Very true. The BRAS must be able to protect from IP spoofing and
it must do proxy arp instead of real bridging.
Mike.
