[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ip theft!!
On Tue, Feb 12, 2002 at 06:51:27PM +0300, ksemat at wawa.eahd.or.ug wrote:
> > (2) Use tunneling to introduce a layer-3 boundary between all customers. For
> > example, you could run PPPoE between them and you, so they each have a
> > separate PPP session with its own assigned IP address and /32 route.
>
> Thought of this however the major problem was actually the fact that since
> the router is on the same network segment as themselves, they can simply
> change their netmask and set their gateway to the router and voila they're
> on the network once again!
To fix that, you simply don't run IP on the broadcast network at all, only
PPPoE.
broadcast domain
- - - - - - - - - - - - - - - - - -
\|/ \|/ \|/ \|/
| | | | e0
client1 client2 client3 Router
| e1
+--------->
w.x.y.z
i.e. don't configure _any_ IP address on interface e0 at all. You also don't
need a DHCP server on that network.
You can make this harder to abuse by filtering out all ethernet frames on
your access point apart from those with PPPoE ethertype. Otherwise, two
cooperating clients _could_ still use your infrastructure to communicate
with each other (using whatever IP addresses they chose)
> currently we are using one class C network and everyone is assigned ip
> addresses form this pool with a /24 netmask
So your PPPoE server would allocate them each a /32 address, either from a
pool kept on the router, or using static allocations in RADIUS. This would
be equivalent to using DHCP, or using static allocations, on a regular
network.
B.
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org