To block unauthorized traffic, the system supports an anti-spoofing mechanism that
limits source address spoofing. Upstream traffic arriving at the ONT is validated for
source address. Authorized packets are forwarded and non-validated packets are
discarded, as shown in Figure 1-3.
Source address anti-spoofing is implemented in either static or dynamic mode.
•
Static mode enables the table of authorized source addresses to be provisioned
statically by an operator for one of the following anti-spoofing control types:
•
Dynamic mode enables the table of authorized source addresses to be provisioned
both statically by an operator and dynamically through DHCP, and supports the
anti-spoofing control type IP-only.
Source address anti-spoofing filters are applied as follows:
•
For IP-only anti-spoofing, packets that match a configured source address are
forwarded, and non matching packets are dropped.
•
For MAC and IP anti-spoofing, packets that match a configured pair of MAC
source address and IP source address are forwarded, and non-matching packets
are dropped.
•
MAC-only anti-spoofing can be implemented in one of two modes:
Not all anti-spoofing control types apply to all traffic. Table
anti-spoofing control types and any traffic exemptions by source address
anti-spoofing mode.
Alcatel-Lucent 7330/7302 ISAM FTTN R04.02.42a
3FE 54199 AAAA TCZZA
Figure 1-3 ONT packet authorization
Forward authorized packets
Discard
unauthorized
packets
•
MAC only
•
IP-only
•
MAC and IP
•
Inclusive mode forwards packets that match a configured MAC source address, and
drops non matching packets.
•
Exclusive mode forwards packets that do not match a configured MAC source
address, and drops matching packets.
Edition 01 ONT Product Information Guide
Upstream packets
Authorize
packets
March 2011
1 — ONT and MDU overview
ONT
Authorized
source addresses
1-10
identifies the
19075
1-25