From: Jeff Shultz 

On Tue, 05 Apr 2005 14:53:42 -0400, Mike N. wrote:

> On Mon, 4 Apr 2005 23:33:37 -0400, "Geo"
 wrote:
>
>>But I do have a question, if using bridged mode, aren't they all
>>basically on the same ethernet segment so they see each other's broadcast
>>traffic? In other words if it's a bunch of windows boxes with no
>>firewalls couldn't they browse to each other?
>
>   There is an older style bridged configuration that is pure bridged mode
> (IRB)  that works as you describe above.  It is appropriate only when the
> ISP installs, configures, and controls both the modem and a
> router/firewall.
>
>   Nearly everyone now uses RBE in which every circuit is a separate
>   network
> and they receive only the traffic that gets routed to them and broadcasts
> are suppressed.   A malicious user can guess a neighboring IP address and
> send packets using that IP.   However he cannot receive any replies
> because replies will go to the rightful owner.   (I don't think there is a
> Source Address Assurance filter per circuit with RBE).   A DSL aggregator
> router may have SAA though.

We've got it locked down so that only a specific VCI/VPI can use a specific
IP address(s). I suppose we could have some additional fun and serve them
out via DHCP... I've never looked into that and what we have works.

--- BBBS/NT v4.01 Flag-5