Manualshelf

User guide

ManualsBrandsEricsson ManualsComputer equipmentECN330
919293949596979899100
Security
1/1551-HSC 901 35/3 Uen C 2005-12-02
89
9.4.1.1 Broadcast
Broadcast traffic can in general be filtered out. This filtering will prevent
subscribers from loading the network with broadcast traffic. Also, network
information messages that are normally broadcasted on an Ethernet are
not sent to the EDA subscribers. One example of exception is DHCP
request from subscribers. These are needed to obtain the initial network
configuration, for example an IP address, from a DHCP server. The DHCP
request is forwarded only in the upstream direction, never to other
subscribers.
9.4.1.2 Source MAC/IP Address
In order to prevent EDA subscriber from spoofing, the source MAC and IP
address of upstream traffic can be verified as belonging to some allowed
set of addresses. The IP DSLAM stores the valid combinations of MAC and
IP addresses for each subscriber in a MAC table. The MAC table entries
can be static or dynamic. Static entries correspond to a fixed IP address
permanently assigned via the management system to a specific
subscriber’s PVC. Dynamic entries are created based on the DHCP
responses from the DHCP server. In order to maintain an updated picture
of the MAC addresses and IP addresses in use, all subscribers must repeat
their DHCP requests with a configurable interval (the IP address lease
time). The MAC table entries will time out after a while. The exact time is
configurable, but should be at least as long as the IP address lease time.
9.4.1.3 Destination MAC/IP Address
In order to prevent EDA subscribers from attacking EDA system nodes it is
possible to filter out upstream packets towards those addresses, located in
a given range. It is also possible to allow only limited destination addresses
for the upstream traffic.
9.4.1.4 Ethernet Frame Type
It is possible to limit the acceptable frame types in both directions.
Examples of acceptable frame types could be those carrying IP traffic.
Examples of rejected frame types could be LAN routing protocols
(NetBEUI).
9.4.2 Layer-2 Separation
IP Hosts connected to the same LAN can communicate directly with each
other by knowing the other party’s MAC address. The way a host can see if
the other party is on the same LAN is by looking at the subnet mask. If the