From: Ole Craig (olc@cs.umass.edu)
Date: Fri Apr 30 2004 - 12:48:06 CDT
On 04/30/04 at 12:12, 'twas brillig and Robert Lowe scrobe:
> Common practice is to blackhole the unregistered IP address space. If
> users steal IP addresses, then you must be able to connect a registration
> system with a more centralized gateway, e.g. Carnegie Mellon's AuthBridge
> coupled with their NetReg.
Yes. We rejected this design because of the degree of
synchronization required between DHCP leasing and the router, and the
necessity of very short DHCP lease times.
> It would seem you have a network design that accomodates something similar,
> in that all packets pass through your netreg box from this particular LAN
> (given that you mention NAT). That is probably not typical, but most do
> have traffic flowing through a core switch/router. Filtering there is
> harder and vendor-specific. Some places have network bandwidth quota
> systems that manipulate CAM tables, or apply MAC-specific rules.
Yes, the network in question is segmented behind a dualhome
Pii which is both a NAT box and the netreg headend. I can see how it
would be difficult to implement this generically to accomodate
different vendor hardware, though.
Ole
-- Ole Craig * UNIX, linux, SMTP-ninja; news, web; SGI martyr * CS Computing Facility, UMass * <www.cs.umass.edu/~olc/pgppubkey.txt> for public keyWhere are the missing deficit-reduction program-related activities? ********************************************************************** To unsubscribe from this list, send an e-mail message to majordomo@southwestern.edu containing a single line with the words: unsubscribe netreg Send requests for assistance to: owner-netreg@southwestern.edu **********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:45 CDT