[89393] in North American Network Operators' Group
Re: Security problem in PPPoE connection
daemon@ATHENA.MIT.EDU (Sean Donelan)
Mon Mar 13 13:54:12 2006
Date: Mon, 13 Mar 2006 13:53:43 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: Joe Shen <joe_hznm@yahoo.com.sg>
Cc: nanog@merit.edu
In-Reply-To: <20060313071932.69899.qmail@web53602.mail.yahoo.com>
Errors-To: owner-nanog@merit.edu
On Mon, 13 Mar 2006, Joe Shen wrote:
> > >What's your method to deal with such problem? Will
> > CHAP in PPPoE help?
> >
> > That may help against password sniffing but won't
> > help against sniffing
> > traffic by an active attacker once the session has
> > been established.
> > Also, you'll have to revisit all CPE to explicitly
> > disable PAP, or an
> > active attacker could still steal the password if he
> > impersonates the
> > real PPPoE server.
>
> If we enable CHAP on BRAS, is it enough that asking
> subscriber to enable Chap on MS-windows dial
> connection or Linux ? Need we install some other
> tools?
Microsoft has some suggestions for configuring PPPOE for MS-Windows.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/pppoe.mspx
A problem is many of your customers won't follow the directions, and may
still be vulnerable to man-in-the-middle attacks for the login if they
don't disable PAP. Because things will appear to work, i.e. Windows will
use CHAP first and fallback to PAP, your customers may not notice when an
attack does occur.
Although PPPOE is a layer 2 protocol, the user data may be vulnerable to
many of the same ethernet CAM table, denial of service and sniffing
weaknesses even if the login credentials are kept secret with CHAP (or
more advanced EAP options). PPPOE and PPP tend to assume the access
networks are 1) "free" and 2) "secure." This may be constrained using
point-to-point connections, but often require additional configuration
of multi-access networks.
The configuration details will vary by equipment vendor. But you should
find some good information by doing a few web searches for metro ethernet
security, private vlan, broadcast security.
