North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: SlashDot: "Comcast Gunning for NAT Users"
- From: Jim Forster
- Date: Fri Feb 01 14:16:53 2002
> To add more fuel to the fire, how does one combat the issue of "stolen" IP
> addresses. Stolen IP's are worse to me than a user doing NAT.
> Slightly intuitive users could figure out that their IP is one of a /24
> just statically assign one to their other machine with out paying for it,
> and worse take somebodies IP and make that user non-functional. I know the
> cable modem service where I live will allow this type of activity.
Oh, that one is pretty easy: DOCSIS makes it pretty easy to detect
spoofed/stolen source IP addresses. Not many providers turn on this
capability for various operational reasons, but the source IP addresses can
be locked down quite snugly. DOCSIS has these per-modem security
associations (SIDs, IIRC). IP addresses are handed out by DHCP servers
behind the CMTS, right? Well, in the course of doing the return part of the
DHCP relay the CMTS can and sometimes do record the IP-MAC-SID binding, and
then later they can verify that packets received from the Cable Modem have a
source IP address that was in fact assigned by the DHCP server and was bound
to that SID.
DOCSIS had so much per-modem state, include power-levels, encryption keys,
etc., that it was pretty easy to think of them as kinda like VCs. After
that it seemed like a good idea to do this binding to detect and prevent
spoofed source addreses. Even RPF checking couldn't have done anything to
prevent spoofing any of the 10K-20K addresses that might legitimately be
downstream of a CMTS, whereas this mechanism prevents the spoofers from
using anything except their legitimate address(es).
Now we return to your regularly schedule rant...