[rbak-nsp] dhcp only on interface

David Freedman david.freedman at uk.clara.net
Sun Aug 3 17:59:41 EDT 2008 

I take it these are IPoE subs, if you want to prevent a user creating a static IP on their machine and it being used, the problem is bigger than just the redback, what about all the other subs making an ARP request and seeing the ARP response between themselves? I've no idea how your network is designed but I take it that your IPoE edge devices filter MAC such that only your redback interface can be seen?

Secured ARP will go some of this way but CLIPS is an entire solution built on supporing IPoE subs.

With CLIPS, each IPoE sub is treated as a proper redback sub, when a DHCP lease expires the sub is cut off and both ARP and MAC communication are cut off. 

But as I said above, your IPoE edge devices need appropriate securing. 

------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net



-----Original Message-----
From: Marcin Kuczera [mailto:marcin at leon.pl]
Sent: Sun 8/3/2008 22:16
To: David Freedman; redback-nsp at puck.nether.net
Subject: Re: [rbak-nsp] dhcp only on interface
 

>Now with DHCP, the lease that it serves back would update the ARP table,
>and
>should clear it when the lease expires.
>The point is that these are separated tables, although the lease got
>expired, the ARP table is not.

this is what I've observed, once I fetch IP from DHCP, there is a new entry
in ARP table, that looks like static.
But, it takes a time after disconnecting so that the ARP entry is cleared.
That's something that I can apply, I mean - such a few minutes is acceptable
for me since particular IP is statically bound to particular MAC address.

However, there was a still possibility to bind a static IP to PC and use it,
so classical dynamic ARP worked fine - How to turn it off ?

>What Marcin likes to achieve is that when the lease is expired, the
>connection of that subscriber is dropped, and no communication is allowed
>anymore, right?

that would be perfect ;-) anyone able to push this feature request forward ?

>The DHCP server should be able to do this but it sounds more like a job for
>a clips controlled subscriber to me.

the problem is that I still don't know how CLIPS really works..
Something similar to DHCP, but with possibility to apply some filter policy,
qos policy and others.. All the radius assingnment, accounting sounds
perfect, but it's still not clear for me...

Regards,
Marcin



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/redback-nsp/attachments/20080803/5a701aa6/attachment-0001.html>

More information about the redback-nsp mailing list