tech-net: Re: Needing help with preventing IP theft

Subject: Re: Needing help with preventing IP theft
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Dan Debertin <airboss@bitstream.net>
List: tech-net
Date: 08/11/2000 17:26:39
On Fri, 11 Aug 2000, Thor Lancelot Simon wrote:
> 
> If you mean "PPP-over-Ethernet-over-ATM" I have to say this is about as
> poor an idea as I can think of.  

No, I mean "PPP-over-ATM". PPP, encapsulated in ATM cells. Is there
something ambiguous about that?

> I was _just_ discussing this with the
> folks who administer the cablemodem network I'm on, actually.

DSL works a bit differently than cable modems. I have never seen a DSL
implementation that uses PPPoE. Must be a cable modem thing....

> 
> It's *trivial* to screen out "bad" IP addresses at the first router in front
> of the customer.  Unfortunately, for some reason many ISP folks seem to think
> that this requires the godawful hack of PPPoE with its five layers of
> encapsulation.  It does *not*.

that depends on what you mean by "bad". If you have everyone on the bridge
in a /27, any IP address in that net is grabbable by any pvc on that
bridge. The only way to prevent that is to bind an IP address with a MAC
address, which is not desirable, because you will have positively HUGE
access-lists, not to mention condemning your tech support department to
walking clients through figuring out what their MAC address is ;).

> 
> If you're running ATM, you're going to need a PVC to run PPPoE anyway.  Screen
> IP addresses on the PVC's subinterface.  The access lists are trivial to
> generate.
> 
This doesn't make sense. It works like this:

atm or hdlc-------PPPoATM------------------------------Ethernet-----------
WAN(DS3/T1)------>ISP----->telco ATM cloud---->customerrouter---->cust. PC

The traffic doesn't become Ethernet until it comes out of the customer
router, and into the customer's PC or switch/hub.

The issue is not that somebody is grabbing an IP address that is somehow
"illegal"; it's a perfectly legal address on that interface. It just
doesn't happen to belong to that customer. And that is not easy or
desirable to access-list, from the ISP perspective.

> 
> PPPoE is not a solution to this problem.

I did not say "PPPoE". I said "PPPoATM".


~Dan D.
--
__________________________________________________________________
-- I feel the earth move.
-- I feel the tumbling down, the tumbling down.

++ Dan Debertin
++ Senior Systems Administrator
++ Bitstream Underground, LLC
++ airboss@bitstream.net
++ (612)321-9290