Re: Things to do to make the network better

[Jon Lewis <jlewis () inorganic5 fdt net>]

On Thu, 8 Jan 1998, Morten Reistad wrote:

> We have routers with ISDP PRI links, where the routing information
> arrives from RADIUS via a CHAP login. There are 600 routed objects
> in the RADIUS database, as well as 10k+ non-routed (dynamic IP)
> objects. Every ISDN router therefore has a potential 600 directly
> attached neighbors; although no router has more than 60 links at any
> one time. Some common equipment may handle this just barely; other is
> wholly inadequate. 

So if you only have 60 links at a time, it can probably handle 60 really
short access-lists.  The trick is how to create appropriate filter lists
on the fly.  People have been requesting "automatic" filters where the
access-server unless overridden creates a filter based on the routes it
has for a particular interface.  Hopefully, they're actually working on
this...or at least thinking about it.

As an "it's better than nothing" solution, unless you have too many
network blocks, you can at least put in your various routers filter lists
that allow forwarding of all possibly valid source addresses, but block
absolutely bogus ones (i.e. source addresses from networks that are not
yours).  This would allow some level of spoofing within your own network,
but protect the rest of the world.


------------------------------------------------------------------
 Jon Lewis <jlewis () fdt net>  |  Unsolicited commercial e-mail will
 Network Administrator       |  be proof-read for $199/message.
 Florida Digital Turnpike    |  
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____