Hi,
We are facing problem with PPPoE in ethernet access
network.
To provide high speed access, 10Mbps/100Mbps ethernet
is used as access method. But, we found some guy
'steal' some other's account by listening to
broadcasting packets, and they also set up 'phishing'
PPPoE server to catch those PPPoE authentication
packets.
With ATM DSLAM,we could solve this by binding account
with PVC. With ethernet, although we could seperate
subscribers into VLANs there is more than 100
subscribers within one VLAN.
What's your method to deal with such problem? Will
CHAP in PPPoE help?
thanks
Joe
Joe Shen wrote:
Hi,
We are facing problem with PPPoE in ethernet access
network.
To provide high speed access, 10Mbps/100Mbps ethernet
is used as access method. But, we found some guy
'steal' some other's account by listening to
broadcasting packets, and they also set up 'phishing'
PPPoE server to catch those PPPoE authentication
packets.
With ATM DSLAM,we could solve this by binding account
with PVC. With ethernet, although we could seperate
subscribers into VLANs there is more than 100
subscribers within one VLAN.
What's your method to deal with such problem? Will
CHAP in PPPoE help?
thanks
Joe
http://www.juniper.net/products/eseries/
Hi Joe,
I am connected through this one:
Access-Concentrator: DARX41-erx
AC-Ethernet-Address: 00:90:1a:a0:01:46
* joe_hznm@yahoo.com.sg (Joe Shen) [Sun 12 Mar 2006, 07:48 CET]:
We are facing problem with PPPoE in ethernet access network.
To provide high speed access, 10Mbps/100Mbps ethernet is used as access method. But, we found some guy 'steal' some other's account by listening to broadcasting packets, and they also set up 'phishing' PPPoE server to catch those PPPoE authentication packets.
I humbly suggest you re-evaluate your network design, only this time keeping in mind the fundamental nature of Ethernet as a broadcast medium.
A commonly used model is to use private VLANs (one per customer) combined with "local-proxy-arp".
What's your method to deal with such problem? Will CHAP in PPPoE help?
That may help against password sniffing but won't help against sniffing traffic by an active attacker once the session has been established. Also, you'll have to revisit all CPE to explicitly disable PAP, or an active attacker could still steal the password if he impersonates the real PPPoE server.
HTH,
-- Niels.
* Peter Dambier:
I am connected through this one:
Access-Concentrator: DARX41-erx
AC-Ethernet-Address: 00:90:1a:a0:01:46
--------------------------------------------------
I guess dtag.de has got some 8 of them. Everybody
(almost) offering dsl in germany goes through their
infrastructure. The ip address range 84.167.0.0/16
seems to be shared by all of them.
But you've got an ATM PVC to them, haven't you? This is a completely
different setup.
Imagine you haven't got a DSL modem, but just an RJ45 plug in the wall
which leads into a stupid cloud of L2 Ethernet switches, and you still
talk PPPoE to your ISP. AFAICS, this is the kind of network setup the
OP is talking about.
* Joe Shen:
What's your method to deal with such problem? Will
CHAP in PPPoE help?
AFAIK, CHAP does not authenticate the terminal server, either, so it
won't stop all attacks.
Joe Shen wrote:
Hi,
We are facing problem with PPPoE in ethernet access
network.
To provide high speed access, 10Mbps/100Mbps ethernet
is used as access method. But, we found some guy
'steal' some other's account by listening to
broadcasting packets, and they also set up 'phishing'
PPPoE server to catch those PPPoE authentication
packets.
Well you need to do a few things
-- Terminate access to the miscreants
-- Implement features like private-vlans
-- Otherwise prevent ports from communicating between eachothers except through your authorized PPPoE server. MAC access lists may provide some help with that. You will need to examine exactly what your L2 switches support.
CHAP can be bidirectional.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
* Steven M. Bellovin:
CHAP can be bidirectional.
I stand corrected.
However, the value of this type of authentication is rather
questionable if the underlying communication channel is so horribly
insecure.
>What's your method to deal with such problem? Will
CHAP in PPPoE help?
That may help against password sniffing but won't
help against sniffing
traffic by an active attacker once the session has
been established.
Also, you'll have to revisit all CPE to explicitly
disable PAP, or an
active attacker could still steal the password if he
impersonates the
real PPPoE server.
If we enable CHAP on BRAS, is it enough that asking
subscriber to enable Chap on MS-windows dial
connection or Linux ? Need we install some other
tools?
Regards
Joe
Microsoft has some suggestions for configuring PPPOE for MS-Windows.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/pppoe.mspx
A problem is many of your customers won't follow the directions, and may
still be vulnerable to man-in-the-middle attacks for the login if they
don't disable PAP. Because things will appear to work, i.e. Windows will
use CHAP first and fallback to PAP, your customers may not notice when an
attack does occur.
Although PPPOE is a layer 2 protocol, the user data may be vulnerable to
many of the same ethernet CAM table, denial of service and sniffing
weaknesses even if the login credentials are kept secret with CHAP (or
more advanced EAP options). PPPOE and PPP tend to assume the access
networks are 1) "free" and 2) "secure." This may be constrained using
point-to-point connections, but often require additional configuration
of multi-access networks.
The configuration details will vary by equipment vendor. But you should
find some good information by doing a few web searches for metro ethernet
security, private vlan, broadcast security.