> I think we are in violent agreement. I don't like the
> IP->MAC->Customer mapping, it is forgeable, but it is the only one I
> know we have available. I agree with you that it is not the only
> possible mapping. If you can point me to a better existing mechanism,
> I would be greatful.If you are a cable modem or DSL provider, you may be able to use the
relay agent information option to get a unique ID from the cable
modem. This should uniquely identify the customer, and has the
virtue that you may have sold the customer the box, and thus may
already know its ID. Cable modem and DSL systems that support this
functionality can apparently be set up so that it's quite difficult to
spoof the modem identification.
Ted;
That works for the cable/dsl/wireless modem. As always, there
are some unstated assumptions that come with the particular
engineering sub-niche. The unstated assumption here is that the
problem is not the modems, but the devices beyond the modem, the
devices that the customer actually uses: PCs, routers, ip-aware
toasters, web cams, etc. These are the devices that tend to cause the
most problems. They have an enormous range of different
manufacturers. Customers, those pesky folk, tend to add/modify/delete
them constantly.
Also, if the cable/dsl/wireless modem is a router, life
becomes much simpler as one can just gather the necessary information
via tracing. However, I am not sure requiring modems to be routers is
a good thing...
Let me stress in passing, it is very important that public
(non-RFC 1918) IPv4 addresses not be wasted on cable/wireless/dsl
modems. There is no reason for these modems to be reachable from the
outside world (in an IPoE environment) and reachability is actually
dangerous. If you waste public IP addresses on these devices,
eventually ARIN will step on your head.
Now, in this case and also in the case of tracking the customer's MAC
address, you are still really tracking access at a customer premise
level, not at a user level, and so this couldn't be used as a reliable
way of identifying an individual user, but it *could* be used as a way
of figuring out who to contact to get more information.
Exactly. It isn't an optimal solution. However, Caller-Id and
username/password have the same drawbacks. In fact, I once was an
expert witness on the question of whether username/password was
sufficient proof beyond a reasonable doubt.
regards,
fletcher