On Thu, 8 Jan 1998, Morten Reistad wrote:
We have routers with ISDP PRI links, where the routing information arrives from RADIUS via a CHAP login. There are 600 routed objects in the RADIUS database, as well as 10k+ non-routed (dynamic IP) objects. Every ISDN router therefore has a potential 600 directly attached neighbors; although no router has more than 60 links at any one time. Some common equipment may handle this just barely; other is wholly inadequate.
So if you only have 60 links at a time, it can probably handle 60 really short access-lists. The trick is how to create appropriate filter lists on the fly. People have been requesting "automatic" filters where the access-server unless overridden creates a filter based on the routes it has for a particular interface. Hopefully, they're actually working on this...or at least thinking about it. As an "it's better than nothing" solution, unless you have too many network blocks, you can at least put in your various routers filter lists that allow forwarding of all possibly valid source addresses, but block absolutely bogus ones (i.e. source addresses from networks that are not yours). This would allow some level of spoofing within your own network, but protect the rest of the world. ------------------------------------------------------------------ Jon Lewis <jlewis@fdt.net> | Unsolicited commercial e-mail will Network Administrator | be proof-read for $199/message. Florida Digital Turnpike | ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____