On Wed, Aug 06, 1997 at 04:00:14PM -0700, J.D. Falk wrote:
I don't know about the "huge players", but we're an Internet Service Provider, not an Internet Blockage Provider. We don't allow spoofing, and we don't allow relaying, but we're not about to put filters to prevent dialup customers from connecting wherever they want.
How 'bout to stop them from connection wherever they want, spoofing their IP address so it looks like it's your box at home that's hacking into the NSA instead of them?
This is an extreme example, but hopefully it illustrates the reason that a little simple filtering is a Good Thing[TM].
In as much as filtering each dial-up port to only allow packets from its own source address is an operational issue.. :-) I said "we don't allow spoofing". Operational question: will a Livingston Portmaster allow source IP spoofing? That is, if you have been given an address of x, can you send a packet from y? If the answer is "yes" (and I can think of a reason or two why it should be), and given the current implementation of RADIUS and its method of supplying filter rules, one immediate solution comes to mind. Set up a filter rule for every possible IP address that may be assigned, and have the RADIUS server supply the rule that goes with the Framed-IP-Address. Hmmm. -- = Christopher Masto = chris@netmonger.net = http://www.netmonger.net/ = = NetMonger Communications = finger for PGP key = $19.95/mo unlimited access = = Director of Operations = (516) 221-6664 = mailto:info@netmonger.net = v---(cut here)---v -- yourname@some.dumb.host.com "Keep in mind that anything Kibo says makes a great sig." -- Kibo ^---(cut here)---^