LISTSERV mailing list manager LISTSERV 15.5

Help for NORDNOG Archives


NORDNOG Archives

NORDNOG Archives


View:

Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font

Options:

Join or Leave NORDNOG
Reply | Post New Message
Search Archives


Subject: Re: IP limits from RIPE?
From: Fredrik Söderblom <[log in to unmask]>
Reply-To:Network management discussion for Nordic region <[log in to unmask]>
Date:Wed, 4 Dec 2002 15:47:51 +0100
Content-Type:text/plain
Parts/Attachments:
Parts/Attachments

text/plain (69 lines)


if you are using openbsd's bridge functionality, you could prolly
stop your client's arp requests from passing thru your openbsd
bridge, and hence no arp reply would be triggered from the arp proxy.

you would need to create static arp's for B2's gw (on all of
your hosts) though.

ie smt like:

brconfig bridge0 rule block in on fxp0 dst ff:ff:ff:ff:ff:ff
brconfig bridge0 rule  pass in on fxp0

where fxp0 would be your internal NIC.

--
fredrik söderblom, [log in to unmask]
exaro ab, narvavägen 16, se-115 22 stockholm
phone: +46 (0)70 829 2140, fax: +46 (0)8 89 40 53

Martin Back said:

>  Måns Nilsson wrote on Dec 04, 2002 at 12:16:11 PM:
>
> [...]
>
>> One *might* assign some kind of limit per subscriber, to prevent from
>> DoS by snarfing all leases. This, I believe, is already being done, by
>> Bredbandsbolaget.
>>
>> On a related note -- Regardless of the issues I have with some of the
>> things I've heard B2 does (for example altering a DHCP server so it
>> deliberately denies renewal in favour of another address, and the
>> debacle with the Digisip-issued Cisco ATA boxes being given RFC1918
>> leases) I find that the basic structure and service level both are
>> sound -- a rôle model for a consumer broadband operation.
>
> Well, I'm running B2 at home, and it usually works really well. One big
> problem for me though, is that they are running an ARP proxy. There is
> of course good reasons for doing so, but it really makes it hard for
> people like me trying to implement some security... I'm running a box
> with OpenBSD as a transparent firewall, and this would work really well
> if I didn't want to be able to connect between my computers... but I, of
> course, do... :)
> The problem is that the ARP proxy makes my connections going through the
> firewall instead of just through my local switch. This is probarbly due
> to the fact that both my machine and the ARP proxy answers to the ARP
> who-has. My guess is that since the machine I'm trying to connect to
> answers first, and then the ARP proxy, it first uses the real one and
> then, like 1/10 of a second later, changes to the ARP proxy one. Haven't
> really checked that theory out yet, but I believe it works like that.
>
> This would would not have been a problem if one could get static
> IP-adresses, then I could set the ARP manually... but when you get a new
> IP all the time, that doesn't work either.
>
> Been trying to find a solution to this problem for quite some time now,
> but I haven't been able to find one. If only Microsoft could have
> coded a better implementation of the TCP/IP stack so one could have a
> static IP on the same interface as one with DHCP, but no... that was way
> to complicated for them... :)
> I could of course use two NICs instead, but I'm tired of all cables
> running around all over the apartment.
>
> Anyway... I've solved it by using static ARP entries via some scripts,
> but it's not working as well as I would have wanted.
> So, anyone at B2 reading this and feels sorry enough for me to let me
> have static IPs instead? :)
>
> ./m

Back to: Top of Message | Previous Page | Main NORDNOG Page

Permalink



LISTSRV.NORDU.NET

CataList Email List Search Powered by the LISTSERV Email List Manager