nanog mailing list archives

Re: How to protect registered IP addresses

From: chris () netasset com (Chris Cook, Net Asset LLC)
Date: Wed, 12 Mar 1997 19:19:58 -0700


On Thu, Mar 13, 1997, 3:39:29 AM PST George Herbert wrote:


I believe you can just deny by default and allow traffic from the
registered address blocks under each interface, on incoming interfaces
at your central router (and sub-routers).  Nice short list.

-george william herbert
gherbert () crl com


This is obviously better then nothing, and probably the most practical
solution, but most networks have holes in their allocated blocks.  
Wouldn't some sort of authentication scheme (RADIUS/TACACS
or maybe Kerbros) be a better solution?  More complicated for sure. 

The idea would be to check the connection request to the outgoing router
against some sort of database, then expiring the token after it's use.  The 
real trick to this is checking only the initial request.  Something more in the
realm of switching authentication...

Anyone have any ideas how something as large as a class B with say 30% address
utilization on scattered addresses (non-contigeous) could be rapidly verified
without checking every packet?

Thanks for your indulgance,

Chris Cook
Network Engineer
__________________________________________________________________________
Net Asset Network Operations Center
1315 Van Ness Ave., Suite 103
Fresno CA 93721
209/225-0222
- - - - - - - - - - - - - - - - -

Current thread:

How to protect registered IP addresses Sun Wei (Mar 12)
- Re: How to protect registered IP addresses George Herbert (Mar 12)
- <Possible follow-ups>
- Re: How to protect registered IP addresses Chris Cook, Net Asset LLC (Mar 13)
  - Re: How to protect registered IP addresses Hui-Hui Hu (Mar 13)