Subject: Re: Needing help with preventing IP theft
To: Thor Lancelot Simon <firstname.lastname@example.org>
From: Dan Debertin <email@example.com>
Date: 08/11/2000 17:26:39
On Fri, 11 Aug 2000, Thor Lancelot Simon wrote:
> If you mean "PPP-over-Ethernet-over-ATM" I have to say this is about as
> poor an idea as I can think of.
No, I mean "PPP-over-ATM". PPP, encapsulated in ATM cells. Is there
something ambiguous about that?
> I was _just_ discussing this with the
> folks who administer the cablemodem network I'm on, actually.
DSL works a bit differently than cable modems. I have never seen a DSL
implementation that uses PPPoE. Must be a cable modem thing....
> It's *trivial* to screen out "bad" IP addresses at the first router in front
> of the customer. Unfortunately, for some reason many ISP folks seem to think
> that this requires the godawful hack of PPPoE with its five layers of
> encapsulation. It does *not*.
that depends on what you mean by "bad". If you have everyone on the bridge
in a /27, any IP address in that net is grabbable by any pvc on that
bridge. The only way to prevent that is to bind an IP address with a MAC
address, which is not desirable, because you will have positively HUGE
access-lists, not to mention condemning your tech support department to
walking clients through figuring out what their MAC address is ;).
> If you're running ATM, you're going to need a PVC to run PPPoE anyway. Screen
> IP addresses on the PVC's subinterface. The access lists are trivial to
This doesn't make sense. It works like this:
atm or hdlc-------PPPoATM------------------------------Ethernet-----------
WAN(DS3/T1)------>ISP----->telco ATM cloud---->customerrouter---->cust. PC
The traffic doesn't become Ethernet until it comes out of the customer
router, and into the customer's PC or switch/hub.
The issue is not that somebody is grabbing an IP address that is somehow
"illegal"; it's a perfectly legal address on that interface. It just
doesn't happen to belong to that customer. And that is not easy or
desirable to access-list, from the ISP perspective.
> PPPoE is not a solution to this problem.
I did not say "PPPoE". I said "PPPoATM".
-- I feel the earth move.
-- I feel the tumbling down, the tumbling down.
++ Dan Debertin
++ Senior Systems Administrator
++ Bitstream Underground, LLC