North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security problem in PPPoE connection

  • From: Niels Bakker
  • Date: Sun Mar 12 08:40:30 2006 
* [email protected] (Joe Shen) [Sun 12 Mar 2006, 07:48 CET]:
We are facing problem with PPPoE in ethernet access network.
To provide high speed access, 10Mbps/100Mbps ethernet is used as access method. But, we found some guy 'steal' some other's account by listening to broadcasting packets, and they also set up 'phishing' PPPoE server to catch those PPPoE authentication packets.
I humbly suggest you re-evaluate your network design, only this time keeping in mind the fundamental nature of Ethernet as a broadcast medium.

A commonly used model is to use private VLANs (one per customer) combined with "local-proxy-arp".


What's your method to deal with such problem? Will CHAP in PPPoE help?
That may help against password sniffing but won't help against sniffing traffic by an active attacker once the session has been established. Also, you'll have to revisit all CPE to explicitly disable PAP, or an active attacker could still steal the password if he impersonates the real PPPoE server.

HTH,


-- Niels.

--
"Calling religion a drug is an insult to drugs everywhere. Religion is more like the placebo of the masses."
-- MeFi user boaz