How to preempt rogue RAs?

[Mark Smith]

On Thu, 04 Nov 2010 13:37:00 -0700
Alan Batie <alan.batie at peakinternet.com> wrote:

> On 10/31/10 3:05 AM, Mark Smith wrote:
> 
> > Agree, VLANs are pretty cheap. Their sub-interfaces on the router's
> > also give you individual per-customer traffic monitoring and policy
> > enforcement points.
> 
> They are a static configuration however, which makes them expensive.

We were talking about a data center setup rather than a dynamic
subscriber concentration setup.

> PPP is dynamic and still gives you the virtual circuit functionality
> needed to filter the flat lan.  One of the telcos we provide service to
> switched from atm to ethernet dslams about a year ago and we're still
> trying to get some customers moved from bridged to avoid the resulting
> problems (partly caused by bugs in the dslams).  They are doing a
> vlan/dslam which helps a little, but it was determined that
> vlan/customer just didn't scale (the customer count nears the limit of
> vlan ids also).

 The benefit of being attached to a multi-access link
like an ethernet is that attached devices can sent traffic
directly to each other i.e. "full mesh"/"peer-to-peer" communications is
available. The draw back is that each device has to trust
its on-link peers not to do anything to disrupt the shared link
resources, which is what is happening with rogue or malicious RAs. With
a PPPoE setup, you're changing the shared link traffic topology to one
that is hub-and-spoke, hair-pinning traffic between spokes, and using
the hub (i.e. aggregation router) to enforce policies on what can be
sent between the spokes. The fundamental decision is at what point do
you make the trade off between optimal and direct paths ("full mesh")
and more chance of disruption verses less optimal hair pin paths and
less chance of disruption.