[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PPPoE vs. Bridged ADSL

Subject: PPPoE vs. Bridged ADSL
From: frnkblk at iname.com (Frank Bulk - iName.com)
Date: Sat, 31 Oct 2009 17:55:53 -0500
In-reply-to: <[email protected]>
References: <1256756748.2228.9.camel@nld06907> <[email protected]> <[email protected]> <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAAC4sxXPq/2pQpjERWQJZxq/[email protected]> <[email protected]>

Hindsight being what it is, we would have likely had a separate
account/password for the PPP account. 

I guess we could theoretically have two layers of RADIUS checking, the first
layer being the application-layer username/password, and failing that, the
original username/password that we assigned to the PPP device.

Frank

-----Original Message-----
From: Sean Donelan [mailto:sean at donelan.com] 
Sent: Saturday, October 31, 2009 3:14 PM
To: NANOG list
Subject: RE: PPPoE vs. Bridged ADSL

On Thu, 29 Oct 2009, Frank Bulk - iName.com wrote:
> Others commented on things I already had in mind only the
username/password
> thing of PPPoE.  We use the same username/pw on the modem as the customer
> users for their e-mail, so a password change necessitates a truck roll (I
> know, I know, TR-069).  We started with PPPoE for our FTTH, because we
were
> familiar with it, but we moved over to a "VLAN per service" model which
ends
> up something like RBE in function.  We can track customers based on the
> Option 82 info, so we're good to go in terms of tracking them.

You can have a "network username/password" for the customer different
from the mail and other application-layer username/password.   Some ISPs 
did that in the dial-up days, and also with PPPOx.  The network account 
information is configured in the dialer or router/modem; and most users 
never need to know the network-layer stuff.  The user can change their 
mail/application password (and use it for off-network access) without 
affecting their network-layer pasword.

The same network account may have multiple mail/application accounts 
associated with it. It also helps in the debate whether you store 
unreversable passwords or cleartext passwords for things like CHAP/PAP; 
need to split accounts because people change households; network 
re-architecture moves circuits around or users move and re-associating 
the connections with the correct accounts.  Yep, I sometimes found two 
households with swapped VPI/VCI, VLAN or PORT identifiers because 
someone/something made a data entry or circuit termination mistake.

I like a combination of 802.1x and Option 82 as way of cross-checking, 
and layer 2/3 anti-spoof protection.  I also like handling network things 
mostly at the network/hardware level, separate from the application layer 
identity so the user changes aren't affected.

But there are almost always multiple ways to solve a problem.

References:
- ip options
  - From: bit.gossip at chello.nl (Luca Tosolini)
- ip options
  - From: rdobbins at arbor.net (Roland Dobbins)
- PPPoE vs. Bridged ADSL
  - From: jdupuy-list at socket.net (JD)
- PPPoE vs. Bridged ADSL
  - From: frnkblk at iname.com (Frank Bulk - iName.com)
- PPPoE vs. Bridged ADSL
  - From: sean at donelan.com (Sean Donelan)

Prev by Date: Upstream BGP community support
Next by Date: Upstream BGP community support
Previous by thread: PPPoE vs. Bridged ADSL
Next by thread: Cox.net issues with their DNSBL
Index(es):
- Date
- Thread