<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7652.24">
<TITLE>RE: [rbak-nsp] dhcp only on interface</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>I take it these are IPoE subs, if you want to prevent a user creating a static IP on their machine and it being used, the problem is bigger than just the redback, what about all the other subs making an ARP request and seeing the ARP response between themselves? I've no idea how your network is designed but I take it that your IPoE edge devices filter MAC such that only your redback interface can be seen?<BR>
<BR>
Secured ARP will go some of this way but CLIPS is an entire solution built on supporing IPoE subs.<BR>
<BR>
With CLIPS, each IPoE sub is treated as a proper redback sub, when a DHCP lease expires the sub is cut off and both ARP and MAC communication are cut off.<BR>
<BR>
But as I said above, your IPoE edge devices need appropriate securing.<BR>
<BR>
------------------------------------------------<BR>
David Freedman<BR>
Group Network Engineering<BR>
Claranet Limited<BR>
<A HREF="http://www.clara.net">http://www.clara.net</A><BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Marcin Kuczera [<A HREF="mailto:marcin@leon.pl">mailto:marcin@leon.pl</A>]<BR>
Sent: Sun 8/3/2008 22:16<BR>
To: David Freedman; redback-nsp@puck.nether.net<BR>
Subject: Re: [rbak-nsp] dhcp only on interface<BR>
<BR>
<BR>
>Now with DHCP, the lease that it serves back would update the ARP table,<BR>
>and<BR>
>should clear it when the lease expires.<BR>
>The point is that these are separated tables, although the lease got<BR>
>expired, the ARP table is not.<BR>
<BR>
this is what I've observed, once I fetch IP from DHCP, there is a new entry<BR>
in ARP table, that looks like static.<BR>
But, it takes a time after disconnecting so that the ARP entry is cleared.<BR>
That's something that I can apply, I mean - such a few minutes is acceptable<BR>
for me since particular IP is statically bound to particular MAC address.<BR>
<BR>
However, there was a still possibility to bind a static IP to PC and use it,<BR>
so classical dynamic ARP worked fine - How to turn it off ?<BR>
<BR>
>What Marcin likes to achieve is that when the lease is expired, the<BR>
>connection of that subscriber is dropped, and no communication is allowed<BR>
>anymore, right?<BR>
<BR>
that would be perfect ;-) anyone able to push this feature request forward ?<BR>
<BR>
>The DHCP server should be able to do this but it sounds more like a job for<BR>
>a clips controlled subscriber to me.<BR>
<BR>
the problem is that I still don't know how CLIPS really works..<BR>
Something similar to DHCP, but with possibility to apply some filter policy,<BR>
qos policy and others.. All the radius assingnment, accounting sounds<BR>
perfect, but it's still not clear for me...<BR>
<BR>
Regards,<BR>
Marcin<BR>
<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>