From: Brian Dennis (brian@labforge.com)
Date: Sat Jul 05 2003 - 16:04:20 GMT-3
I think IP mobile ARP can filter tadpoles (see below) which should
eliminate the toad problem.
router eigrp 1
redistribute mobile route-map NOTOADS
default-metric 10000 100 255 1 1500
route-map NOTOADS deny 10
match tadpole
route-map NOTOADS permit 20
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Howard C. Berkowitz
Sent: Saturday, July 05, 2003 11:22 AM
To: ccielab@groupstudy.com
Subject: Big picture of mobility (was RE: ip mobile question
First, let me endorse Brian's comments, but note that he neglected to
mention that IP mobile ARP eats toads, pays no respect to its
parents, and is not fully potty-trained.
At 10:52 AM -0700 7/5/03, Brian Dennis wrote:
>What if you were in a very large network or trying to do IP mobile ARP
>over the Internet? Which solution do you think would be better? Call
>your ISP and tell them they need to accept the /32 routes that IP
mobile
>ARP generates from you ;-)
>
>What about security issues? How secure is regular IP mobile ARP? Do you
>want anyone to just plug a computer into your network and advertise a
>/32 route for whatever address they have configured? Consider this
>hypothetical situation. What if a "hacker" plugs their computer in with
>the same IP address as the company's HR web server? When that /32 route
>from the mobile ARP process for the hacker's computer gets advertised
>around where do you think the traffic destined for the HR web server is
>going to go (assuming there isn't a /32 route for the HR web server
>being advertised already)? The hacker throws up a mock up website on
>their computer of the real HR website just long enough to capture a few
>users trying to login. After the users enter their usernames and
>passwords the hacker's mock up website tells the users the website is
>down for the next 15 minutes and to try back later. After a few users
>attempt to login the hacker unplugs the computer with the mock up
>website and lets the /32 route (mobile ARP) timeout so when the users
>try to log back into the HR web server later they will be routed back
to
>the real HR web server. The users don't even know that they were
>temporarily rerouted to the hacker's mock up website that stole their
>usernames and passwords.
>
>As a side note Mobile IP offers MD5 authentication and filtering
>capabilities whereas IP mobile ARP is very insecure. I've seen Mobile
IP
>deployed in the real world with law enforcement. I've never seen a
large
>scale deployment of IP mobile ARP.
Both mobile IP and mobile ARP are tools in a toolbox.
When a host's position is expected to change on the order of seconds
to minutes, and is in a limited area, this is the problem that
wireless LAN protocols are meant to solve.
When the host's position changes in a large area over minutes, the
physical layer problem is solved by specialized cellular radio
protocols.
When the host moves for relatively long periods to a foreign subnet,
this is the solution space for mobile IP and mobile ARP.
When entire subnets and routers move and reinsert into networks, this
is the problem space that the IETF MANET Working Group deals with.
Think of a military environment, where a cannon company and its
wireless LAN move into a different chain of command.
IPv6 and the Router Renumbering Protocol also have facilities for
dealing with the moving subnet.
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Jim Phillipo
>Sent: Saturday, July 05, 2003 9:36 AM
>To: 'ccielab@groupstudy.com'
>Subject: ip mobile question
>
>Where does the ip mobile arp command fit into the big picture ? Seems
>like
>it is a lot easier to configure one router with this command along with
>redistribute mobile than going through the hassle of configuring HA and
>FA
>etc.
>
>The reason I ask is I am doing IPEXPERT lab 35 and the requirement was
>to
>allow a user from one subnet to be able to connect to another routers
>subnet
>without changing its IP.
>
>I was surprised when I checked the answer config and all they used was
>the
>ip mobile ARP command instead of all the other stuff.
>
>Any thoughts appreciated.
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:25 GMT-3