nanog mailing list archives

RE: PPPoE vs. Bridged ADSL

From: "Frank Bulk - iName.com" <frnkblk () iname com>
Date: Sat, 31 Oct 2009 17:55:53 -0500

Hindsight being what it is, we would have likely had a separate
account/password for the PPP account. 

I guess we could theoretically have two layers of RADIUS checking, the first
layer being the application-layer username/password, and failing that, the
original username/password that we assigned to the PPP device.

Frank

-----Original Message-----
From: Sean Donelan [mailto:sean () donelan com] 
Sent: Saturday, October 31, 2009 3:14 PM
To: NANOG list
Subject: RE: PPPoE vs. Bridged ADSL

On Thu, 29 Oct 2009, Frank Bulk - iName.com wrote:

Others commented on things I already had in mind only the

username/password

thing of PPPoE.  We use the same username/pw on the modem as the customer
users for their e-mail, so a password change necessitates a truck roll (I
know, I know, TR-069).  We started with PPPoE for our FTTH, because we

were

familiar with it, but we moved over to a "VLAN per service" model which

ends

up something like RBE in function.  We can track customers based on the
Option 82 info, so we're good to go in terms of tracking them.


You can have a "network username/password" for the customer different
from the mail and other application-layer username/password.   Some ISPs 
did that in the dial-up days, and also with PPPOx.  The network account 
information is configured in the dialer or router/modem; and most users 
never need to know the network-layer stuff.  The user can change their 
mail/application password (and use it for off-network access) without 
affecting their network-layer pasword.

The same network account may have multiple mail/application accounts 
associated with it. It also helps in the debate whether you store 
unreversable passwords or cleartext passwords for things like CHAP/PAP; 
need to split accounts because people change households; network 
re-architecture moves circuits around or users move and re-associating 
the connections with the correct accounts.  Yep, I sometimes found two 
households with swapped VPI/VCI, VLAN or PORT identifiers because 
someone/something made a data entry or circuit termination mistake.

I like a combination of 802.1x and Option 82 as way of cross-checking, 
and layer 2/3 anti-spoof protection.  I also like handling network things 
mostly at the network/hardware level, separate from the application layer 
identity so the user changes aren't affected.

But there are almost always multiple ways to solve a problem.

Current thread:

RE: PPPoE vs. Bridged ADSL, (continued)
- - - RE: PPPoE vs. Bridged ADSL Vince Mammoliti (Oct 29)
    - Re: PPPoE vs. Bridged ADSL Jack Bates (Oct 29)
    - Re: PPPoE vs. Bridged ADSL Ben Scott (Oct 29)
    - RE: PPPoE vs. Bridged ADSL Sean Donelan (Oct 30)
    - Re: PPPoE vs. Bridged ADSL George Carey (Oct 28)
    - Re: PPPoE vs. Bridged ADSL Mikael Abrahamsson (Oct 29)
    - Re: PPPoE vs. Bridged ADSL Jack Bates (Oct 29)
    - RE: PPPoE vs. Bridged ADSL Frank Bulk - iName.com (Oct 30)
    - RE: PPPoE vs. Bridged ADSL Frank Bulk - iName.com (Oct 29)
    - RE: PPPoE vs. Bridged ADSL Sean Donelan (Oct 31)
    - RE: PPPoE vs. Bridged ADSL Frank Bulk - iName.com (Oct 31)