In message <Pine.LNX.3.95.980107222357.167l-100000@inorganic5.fdt.net>, Jon Lewis writes:
On Wed, 7 Jan 1998, Morten Reistad wrote:
I am network manager for a pretty much medium-sized ISP, with around 1700 internal network blocks; 600 of which come from dynamic sources. (RADIUS; variuos routing protocols). Given that a stock router will run out of filter lists long before the 600 mark I see major scaling problems here. (Outside of our network we show around 30 BGP network
You need to do this as close to the edge as possible. Do you have routers with 600 customer links directly connected? If you did, then it might only be feasible to require that your customers filter their traffic such that they cannot send bogus source traffic to you...and have stiff penalties in their service contracts for failure to maintain such filters.
We have routers with ISDP PRI links, where the routing information arrives from RADIUS via a CHAP login. There are 600 routed objects in the RADIUS database, as well as 10k+ non-routed (dynamic IP) objects. Every ISDN router therefore has a potential 600 directly attached neighbors; although no router has more than 60 links at any one time. Some common equipment may handle this just barely; other is wholly inadequate. We DO filter on the other edge too, (towards peering partners). We currently have approx 10 megabit worth of external traffic in two locations; and filtering works. I doubt we can do this with 10 times this traffic. Because of this filtering spoofing will be between clients that have a contractual relationship with us; and we can easily go after them in the judicial system; and we have this covered in the contracts. All routers we ship have anti- spoofing filterlists configured too, but we only have such a relation to around half of our customers. My point is that both approaches have huge scaling problems; easily evident for a medium-size ISP. (Although we are part of EUnet International the national operations are pretty autonomous). If things are this evident for us, it must be a nightmare for the bigger ISP's with lots more routed objects. I would appreciate some thought on how to address this issue on a bigger scale.
------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
-- ___ === / / / __ ___ _/_ === Morten Reistad, Network Manager === /--- / / / / /__/ / === EUnet Norway AS, Sandakerveien 64, Oslo === /___ /__/ / / /__ / === <Morten.Reistad@Norway.EU.net> === Connecting Europe since 1982 === phone +47 2209 2940