[118840] in North American Network Operators' Group
RE: PPPoE vs. Bridged ADSL
daemon@ATHENA.MIT.EDU (Frank Bulk - iName.com)
Sat Oct 31 18:57:46 2009
X-Barracuda-Envelope-From: frnkblk@iname.com
From: "Frank Bulk - iName.com" <frnkblk@iname.com>
To: "'Sean Donelan'" <sean@donelan.com>,
"NANOG list" <nanog@nanog.org>
In-Reply-To: <200910311545230.6B95064B.16404@clifden.donelan.com>
Date: Sat, 31 Oct 2009 17:55:53 -0500
Reply-To: frnkblk@iname.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hindsight being what it is, we would have likely had a separate
account/password for the PPP account.
I guess we could theoretically have two layers of RADIUS checking, the first
layer being the application-layer username/password, and failing that, the
original username/password that we assigned to the PPP device.
Frank
-----Original Message-----
From: Sean Donelan [mailto:sean@donelan.com]
Sent: Saturday, October 31, 2009 3:14 PM
To: NANOG list
Subject: RE: PPPoE vs. Bridged ADSL
On Thu, 29 Oct 2009, Frank Bulk - iName.com wrote:
> Others commented on things I already had in mind only the
username/password
> thing of PPPoE. We use the same username/pw on the modem as the customer
> users for their e-mail, so a password change necessitates a truck roll (I
> know, I know, TR-069). We started with PPPoE for our FTTH, because we
were
> familiar with it, but we moved over to a "VLAN per service" model which
ends
> up something like RBE in function. We can track customers based on the
> Option 82 info, so we're good to go in terms of tracking them.
You can have a "network username/password" for the customer different
from the mail and other application-layer username/password. Some ISPs
did that in the dial-up days, and also with PPPOx. The network account
information is configured in the dialer or router/modem; and most users
never need to know the network-layer stuff. The user can change their
mail/application password (and use it for off-network access) without
affecting their network-layer pasword.
The same network account may have multiple mail/application accounts
associated with it. It also helps in the debate whether you store
unreversable passwords or cleartext passwords for things like CHAP/PAP;
need to split accounts because people change households; network
re-architecture moves circuits around or users move and re-associating
the connections with the correct accounts. Yep, I sometimes found two
households with swapped VPI/VCI, VLAN or PORT identifiers because
someone/something made a data entry or circuit termination mistake.
I like a combination of 802.1x and Option 82 as way of cross-checking,
and layer 2/3 anti-spoof protection. I also like handling network things
mostly at the network/hardware level, separate from the application layer
identity so the user changes aren't affected.
But there are almost always multiple ways to solve a problem.
