> We have routers with ISDP PRI links, where the routing
> information arrives from RADIUS via a CHAP login. There are 600
> routed objects in the RADIUS database, as well as 10k+
> non-routed (dynamic IP) objects. Every ISDN router therefore
> has a potential 600 directly attached neighbors; although no
> router has more than 60 links at any one time. Some common
> equipment may handle this just barely; other is wholly
> inadequate.It sounds to me like what you would really like was something
akin to the "RPF check" as done on multicast traffic for unicast
traffic on your customer routers, perhaps as a per-interface
option. If this feature existed you would not accept a packet
from a given source and incoming interface unless the box in
question has a route for the source pointing back out the same
interface. That way you would not get the administrative burden
of maintaining access lists and ensuring they're always in synch
with the local view of the routing system.
Or possibly as a RADIUS option, where we really want address integrity;
not a filter list; and are willing to accept packets with source
addresses fitting a set of ip aggregates.
Doing this on the customer border routers appears to me to be the
obviously right place. Doing this in a place where asymmetrical
routing is the norm (as appears to be the case in the current
backbones) is obviously a non-starter.
Can you trust the customer border router ? I personally don't.
Anyone can go out and buy a router and hook it up to the internet;
even getting a routed block of addresses doesn't cost all that much.