[89385] in North American Network Operators' Group
Re: Security problem in PPPoE connection
daemon@ATHENA.MIT.EDU (Niels Bakker)
Sun Mar 12 08:39:45 2006
Date: Sun, 12 Mar 2006 14:39:25 +0100
From: Niels Bakker <niels=nanog@bakker.net>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <20060312064818.58724.qmail@web53607.mail.yahoo.com>
Errors-To: owner-nanog@merit.edu
* joe_hznm@yahoo.com.sg (Joe Shen) [Sun 12 Mar 2006, 07:48 CET]:
>We are facing problem with PPPoE in ethernet access network.
>
>To provide high speed access, 10Mbps/100Mbps ethernet is used as access
>method. But, we found some guy 'steal' some other's account by listening
>to broadcasting packets, and they also set up 'phishing' PPPoE server to
>catch those PPPoE authentication packets.
I humbly suggest you re-evaluate your network design, only this time
keeping in mind the fundamental nature of Ethernet as a broadcast medium.
A commonly used model is to use private VLANs (one per customer)
combined with "local-proxy-arp".
>What's your method to deal with such problem? Will CHAP in PPPoE help?
That may help against password sniffing but won't help against sniffing
traffic by an active attacker once the session has been established.
Also, you'll have to revisit all CPE to explicitly disable PAP, or an
active attacker could still steal the password if he impersonates the
real PPPoE server.
HTH,
-- Niels.
--
"Calling religion a drug is an insult to drugs everywhere.
Religion is more like the placebo of the masses."
-- MeFi user boaz
