Avi,
> Why not use static MAC mappings and turn off arp?
That would work, but is a hassle when they change their ethernet
cards. An improvement would be to turn of ARP for specific IP
ranges, and leave the law-abiding customers alone (how?). The real solution
appears to be to change the product slightly and run CAR rate-limit from the
CC train. Then I don't care what they put behind it.
Alex Bligh
GX Networks (formerly Xara Networks)
>
> Avi
>
> > I shall learn in future never to post to two lists with similar
> > readerships on different issues simultaneously. Following my
> > post on NANOG I've now been told by no less than 8 people that
> > my cisco-nsp question is not the right way to go about solving
> > DOS attacks. I agree completely. That wasn't what I was trying to
> > do. FWIW here's what I want to do:
> >
> > > > We've run out of space in our colocation areas and people
> > > > are thus buying our ethernet colocation service and finding their
> > > > own space in the building. They can get (say) a Class C for
> > > > virtual hosts. I want to stop them plugging in a gated box
> > > > and running an etnire network behind it. IE what I want to
> > > > make sure is that it only goes to addresses whose MAC addresses
> > > > are immediately visible. This seemed like a nice way to do it.
> > > > Yes, one joker has tried it.
> >
> > --
> > Alex Bligh
> > GX Networks (formerly Xara Networks)
>
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:16 EDT