North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cable Modem [really more about PPPoE]

  • From: Fletcher E Kittredge
  • Date: Mon Jun 25 17:20:56 2001

On Mon, 25 Jun 2001 11:16:29 -0500  Chris Parker wrote:
> PPPoE.  Auth via radius.  Same management infrastructure as used for
> dialup ( in terms of radius accounting from PPPoE aggregation boxes ).

1) Auth via radius is not an advantage for the customer; only for the
   engineer whom has a legacy radius infrastructure to support.  A key
   engineering skill is to be able to evolve such infrastructures
   economically and reliably to more modern infrastructures.
   Therefore, this is not much of an advantage as you should know how
   to replace it :)

2) To balance this one special case advantage,  radius auth has a
   number of flaws: 
   i) it is an older protocol designed for a different model of
      networking and thus is missing many features of DHCP.  In
      particular, clean mechanisms for setting an arbitrary number of
      client configuration values.
   ii) public networks, it uses username/password authentication.
      This is a flawed mechanism for auth.  It is insecure[1] and
      generates a fair amount of support traffic.

> You have start/stop logs with timestamps.  You know who had what IP and
> when.

3) Inflicting a connection oriented access model on customers is unfair;
   the network should be always on. Only the legacy design of the PSTN
   requires a connection oriented model.  Therefore, start/stop displease
   me.

4) DHCP also logs leases which tell you who had what IP and when.

> Also, most PPPoE aggregation boxes record the client MAC address in
> the 'Calling-Station-Id' radius field, so that solves your MAC problem
> as well.

5) That is a good, but I don't like the cost.  I already have a
   working model.

> 
> Before anyone bemoans the dearth of PPPoE clients, check again.  Nearly
> every major consumer OS ( Windows,MacOS,Linux,*bsd ) has PPPoE support.
> Or failing that, you can pick up a nice little netgear or linksys
> pppoe router that does nat for ~$75.

6) I don't care about the dearth of PPPoE clients, if it exists, it
   will resolve itself.  I do care about their bugginess, as this will
   be with us always.  All code is buggy.  Avoid adding more code
   (complexity) unless truely necessary. 

7) NAT breaks end-to-end.  NAT is evil.  NAT is a sign of weakness.
   NAT only exists because we have failed in providing a secure
   network with virtually infinite addresses.  NAT is a sign of shame
   for every self-respecting Internet Engineer.  

   Remember what Cato said: "NAT must be destroyed".  If I only knew
how... a plan, I need a plan...

regards,
fletcher