North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Security problem in PPPoE connection
On Mon, 13 Mar 2006, Joe Shen wrote: > > >What's your method to deal with such problem? Will > > CHAP in PPPoE help? > > > > That may help against password sniffing but won't > > help against sniffing > > traffic by an active attacker once the session has > > been established. > > Also, you'll have to revisit all CPE to explicitly > > disable PAP, or an > > active attacker could still steal the password if he > > impersonates the > > real PPPoE server. > > If we enable CHAP on BRAS, is it enough that asking > subscriber to enable Chap on MS-windows dial > connection or Linux ? Need we install some other > tools? Microsoft has some suggestions for configuring PPPOE for MS-Windows. http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/pppoe.mspx A problem is many of your customers won't follow the directions, and may still be vulnerable to man-in-the-middle attacks for the login if they don't disable PAP. Because things will appear to work, i.e. Windows will use CHAP first and fallback to PAP, your customers may not notice when an attack does occur. Although PPPOE is a layer 2 protocol, the user data may be vulnerable to many of the same ethernet CAM table, denial of service and sniffing weaknesses even if the login credentials are kept secret with CHAP (or more advanced EAP options). PPPOE and PPP tend to assume the access networks are 1) "free" and 2) "secure." This may be constrained using point-to-point connections, but often require additional configuration of multi-access networks. The configuration details will vary by equipment vendor. But you should find some good information by doing a few web searches for metro ethernet security, private vlan, broadcast security.