IPoE problem
Recently, IPoE technology has become very popular. So popular that some providers decided to introduce it into the existing network. And indeed, at first glance, sheer advantages.
I will give a few advantages for a vskidku: in difference, from PPPoE, does not need expensive BRAS, do not need to spend money on the subnet of external addresses, a smaller load on the equipment, due to the lack of tunnels, there is no need to drive internal traffic through BRAS. You can find a lot of advantages, but for some reason, few people thought about the disadvantages. There is not even RFC for this technology, not to mention that a lot of cheap equipment used on access does not always work correctly with options 82.
The main disadvantage, in my opinion, is end-user security.
Consider, for example, a metro ethernet network in which the service is provided using PPPoE technology (Fig. 1).
fig.1
')
This scheme uses Q-in-Q technology. Speaking roughly - villan in villein. One vlan for PPPoE is allocated to the access ring. On the switches in the access ring, where subscribers are directly included, the vlan numbers follow depending on the switch location in the access ring and the port. For example:
Further, on the L3 aggregation switch, it is collected in C-Vlan of the form 33290101, 33290102, and so on.
As such, it is sent to BRAS. Moreover, the equipment that is on the channel between the BRAS and the router in the aggregation ring may not support Q-in-Q.
With this scheme, each user has his own login / password. And even if an attacker steals it, he can only use it from the port of the subscriber. If it turns on in another port, the login / password will be useless.
Now, consider the situation, when the chief came Ibrahim Avramovich and said - I want IPoE (Fig. 2).
fig.2
No sooner said than done. You shook up the whole network. Made an IPoE. In the most common scenario, the binding will go to the port and access switch port. Your dhcp server with billing is tied up, and the whole stitch is that the billing sends the pieces of the config to the dhcp server.
Put NAT! Now you can give hamsters gray addresses and natit, saving the same! Ibrahim Avramovich is pleased, but he notices that it is possible to issue white addresses to especially zealous users, for a fee, of course.
Q-in-Q you decided to leave in order to at least somehow divide the users.
You did everything - well done. From users no longer need to drive in the login and password, those. support forgot about errors 691. Ibrahim Avramovich chooses a new Lexus. You were given a prtmya 2048 rubles. Everyone is happy.
It would seem that can break this slender idyll? And it can break the scheme shown in Figure 3.
fig.3
Let's take a closer look at it. Aunt Glasha from apartment No. 1 honestly pays for the Internet. For clarity, Aunt Glasha will have a gray address. And her neighbor, Vasily Kultskhaker, doesn't want to pay for the Internet. Goes to the nearest store and buys:
So far, Aunt Glasha and other residents at work, Vasily brazenly crashes into Aunt Glasha's cable. Leads the cable to his home. According to 1,2,3,6 of the core, he will suck free Internet, and for the rest, he will connect Aunt Glush (as they say - on the return line) so that she does not suspect anything and does not call the installer. Since there are no login / passwords. Nothing will prevent Vasily from getting his free Internet. And then - the matter of technology. On a router dhcp and NAT rises. Moreover, if desired, ip Aunt Glasha can be issued from the same subnet that the provider uses to reduce suspicions to a minimum. If the gray ip is not issued from the pool, but there is a hard ip binding to the port, it is still easier.
And so, Vasya received a free Internet. Aunt Glasha didn’t notice anything, only she began to wonder at such frequent hacking of her favorite fellow students and “the pictures will be loaded a lot”.
Afterword:
I agree that some also bind to the subscriber's mac address. But, gentlemen, you create your own hemorrhoids. And if a hamster has no lokalki / router, and there are two computers, three, etc.? And if the network burned down? Each time, call those / support and dictate mac. And well, if the hamsters do not panic, with the word mac. In addition, Vasya mac is easy to learn, and it is even easier to replace.
On the issue of SORM and bloody Gebna. What prevents hereditary Wahhabi Ashot from coming to any staircase, twisting a cable, writing obscenely on the Internet / pumping up torrents and hiding not getting caught? There will be no locking mechanisms of public wi-fi networks.
For some serious safety research I naturally do not pretend, but, in my opinion, there is reason to think.
I will give a few advantages for a vskidku: in difference, from PPPoE, does not need expensive BRAS, do not need to spend money on the subnet of external addresses, a smaller load on the equipment, due to the lack of tunnels, there is no need to drive internal traffic through BRAS. You can find a lot of advantages, but for some reason, few people thought about the disadvantages. There is not even RFC for this technology, not to mention that a lot of cheap equipment used on access does not always work correctly with options 82.
The main disadvantage, in my opinion, is end-user security.
Consider, for example, a metro ethernet network in which the service is provided using PPPoE technology (Fig. 1).
fig.1
')
This scheme uses Q-in-Q technology. Speaking roughly - villan in villein. One vlan for PPPoE is allocated to the access ring. On the switches in the access ring, where subscribers are directly included, the vlan numbers follow depending on the switch location in the access ring and the port. For example:
- first switch 1 port - vlan 101, port 2 - vlan - 102;
- second switch 1 port - vlan 201, port 2 - vlan - 202.
Further, on the L3 aggregation switch, it is collected in C-Vlan of the form 33290101, 33290102, and so on.
As such, it is sent to BRAS. Moreover, the equipment that is on the channel between the BRAS and the router in the aggregation ring may not support Q-in-Q.
With this scheme, each user has his own login / password. And even if an attacker steals it, he can only use it from the port of the subscriber. If it turns on in another port, the login / password will be useless.
Now, consider the situation, when the chief came Ibrahim Avramovich and said - I want IPoE (Fig. 2).
fig.2
No sooner said than done. You shook up the whole network. Made an IPoE. In the most common scenario, the binding will go to the port and access switch port. Your dhcp server with billing is tied up, and the whole stitch is that the billing sends the pieces of the config to the dhcp server.
Put NAT! Now you can give hamsters gray addresses and natit, saving the same! Ibrahim Avramovich is pleased, but he notices that it is possible to issue white addresses to especially zealous users, for a fee, of course.
Q-in-Q you decided to leave in order to at least somehow divide the users.
You did everything - well done. From users no longer need to drive in the login and password, those. support forgot about errors 691. Ibrahim Avramovich chooses a new Lexus. You were given a prtmya 2048 rubles. Everyone is happy.
It would seem that can break this slender idyll? And it can break the scheme shown in Figure 3.
fig.3
Let's take a closer look at it. Aunt Glasha from apartment No. 1 honestly pays for the Internet. For clarity, Aunt Glasha will have a gray address. And her neighbor, Vasily Kultskhaker, doesn't want to pay for the Internet. Goes to the nearest store and buys:
- soap box router (a la dir-100);
- several meters of twisted pair;
- swage, a pair of connectors.
So far, Aunt Glasha and other residents at work, Vasily brazenly crashes into Aunt Glasha's cable. Leads the cable to his home. According to 1,2,3,6 of the core, he will suck free Internet, and for the rest, he will connect Aunt Glush (as they say - on the return line) so that she does not suspect anything and does not call the installer. Since there are no login / passwords. Nothing will prevent Vasily from getting his free Internet. And then - the matter of technology. On a router dhcp and NAT rises. Moreover, if desired, ip Aunt Glasha can be issued from the same subnet that the provider uses to reduce suspicions to a minimum. If the gray ip is not issued from the pool, but there is a hard ip binding to the port, it is still easier.
And so, Vasya received a free Internet. Aunt Glasha didn’t notice anything, only she began to wonder at such frequent hacking of her favorite fellow students and “the pictures will be loaded a lot”.
Afterword:
I agree that some also bind to the subscriber's mac address. But, gentlemen, you create your own hemorrhoids. And if a hamster has no lokalki / router, and there are two computers, three, etc.? And if the network burned down? Each time, call those / support and dictate mac. And well, if the hamsters do not panic, with the word mac. In addition, Vasya mac is easy to learn, and it is even easier to replace.
On the issue of SORM and bloody Gebna. What prevents hereditary Wahhabi Ashot from coming to any staircase, twisting a cable, writing obscenely on the Internet / pumping up torrents and hiding not getting caught? There will be no locking mechanisms of public wi-fi networks.
For some serious safety research I naturally do not pretend, but, in my opinion, there is reason to think.
Source: https://habr.com/ru/post/170371/
All Articles