On Fri, Aug 11, 2000 at 03:57:47PM -0500, Dan Debertin wrote:
> On Fri, 11 Aug 2000, Wolfgang Rupprecht wrote:
> > 
> > If someone tries to impersonate my machine I really have to assume
> > that something serious is up.  If I don't defend my IP it will allow
> > the attacker to steal my mail or impersonate my machine.  If it is the
> > prelude to a break-in elsewhere I'll have a heck of a time proving
> > that I didn't break into somewhere from this IP.  (I could really do
> > without Joe Gumshoe confiscating my computer and all backup tapes as
> > evidence in some trial that gets scheduled 1 year down the road.)
> 
> I used to admin a large number of bridged DSL users, before I got a clue
> and switched everybody to PPP-over-ATM. In every case where there was "IP

If you mean "PPP-over-Ethernet-over-ATM" I have to say this is about as
poor an idea as I can think of.  I was _just_ discussing this with the
folks who administer the cablemodem network I'm on, actually.

It's *trivial* to screen out "bad" IP addresses at the first router in front
of the customer.  Unfortunately, for some reason many ISP folks seem to think
that this requires the godawful hack of PPPoE with its five layers of
encapsulation.  It does *not*.

If you're running ATM, you're going to need a PVC to run PPPoE anyway.  Screen
IP addresses on the PVC's subinterface.  The access lists are trivial to
generate.

If you're running anything else, you already have an interface or subinterface
facing the user, or if you're a cablemodem ISP you have a router that's under
your control whether the user "bought" it or not.  Let *it* do the IP address
screening; all of the popular ones can do it.

PPPoE is not a solution to this problem.

Thor