Cable Modem [really responsible engineering]

Charles Sprickman spork at inch.com
Wed Jun 27 03:01:51 UTC 2001



On Tue, 26 Jun 2001, Chris Adams wrote:

> Okay, but how do you keep the end user from putting a different IP in
> their computer?  We use PPPoA for our "residential" DSL, but someone
> that works here lives outside our service area (small local telcos are
> all over this area), and just got DSL from his local telco/ISP, which
> uses 1483 bridging.  He has multiple computers, so he just picked
> another address, pinged it to see it wasn't in use at the moment, used
> it, and it worked just fine.

Assuming the BRAS is somewhat similar to other boxes that perform these
functions for dialup users you should be able to take care of this very
easily with a decent radius server (ie: Radiator).

Assume the key here is the pvc the user comes in on.  BRAS hits the radius
server when it gets a DHCP request, radius looks up said pvc and hands a
reply back with the IP and a filter for that user that only lets the
assigned IP back out.  How would the user be able to use another address?

While I have not toyed with a Redback or other similar purpose-built
hardware like this, I have to assume they at least beat our USR gear,
which does all of the above.  It even has a DHCP server for dialup (don't
ask).

There's a reason people are building these specialized boxes...

Charles

> Also, how do you prevent the user from trying to forge someone else's
> IP address or even MAC address in outgoing packets?  Without protecting
> against forged packets, I don't see how to provide accountability when
> someone attacks.
>
> DHCP or RADIUS (how did I know you used RADIUS :-) ) is fine for
> assigning things, but how do you _enforce_ those assignments?  I know
> how with PPPoA, but not with a bridged network (the same thing applies
> with cable modems).
>
> --
> Chris Adams <cmadams at hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services
> I don't speak for anybody but myself - that's enough trouble.
>




More information about the NANOG mailing list