In article <20010626202013.A23709@HiWAAY.net>, Chris Adams <cmadams@hiwaay.net> wrote:
Once upon a time, Miquel van Smoorenburg <miquels@cistron-office.nl> said:
When the BRAS requests config info when the circuit goes up (using radius) or when it acts as a DHCP relay, it includes the VPI/VCI of the ATM channel in the request. That means that you can assign IP addresses based on the physical connection rather than the MAC address, and this is what we do [well, will do soon anyway ;)]
Okay, but how do you keep the end user from putting a different IP in their computer?
The BRAS equipment we use, redback SMSes, can filter out IP addresses with invalid source addresses. Like cisco's ip verify unicast reverse-path
Also, how do you prevent the user from trying to forge someone else's IP address or even MAC address in outgoing packets?
Like I said, the SMSes we use filter IP, and it doesn't use real bridging even within the same subnet, it does proxy arp. So if a customer arps for another IP in the same subnet, the SMS will answer the ARP request itself, it will not be bridged. Unfortunately I have not been able to play with Cisco's 6400 series yet to see if they offer the same functionality - not that we're not happy with our current equipment but I'd like to know a bit more about how other equipment behaves. However from the docs I get the impression that Cisco calls this IRB.
Without protecting against forged packets, I don't see how to provide accountability when someone attacks.
Very true. The BRAS must be able to protect from IP spoofing and it must do proxy arp instead of real bridging. Mike.