Re: Hardware needed for home network

To: debian-user@lists.debian.org
Subject: Re: Hardware needed for home network
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Tue, 15 Feb 2011 10:39:07 +0100
Message-id: <[🔎] 4D5A49BB.8020207@plouf.fr.eu.org>
In-reply-to: <[🔎] 1297755103.2375.26.camel@computer2.home>
References: <[🔎] 20110211133710.041074fe.jhsu802701@jasonhsu.com> <[🔎] torg28xmqa.ln2@news.roaima.co.uk> <[🔎] 1297534704.3648.10.camel@computer2.home> <[🔎] 20110213010146.GB18225@think.homelan> <[🔎] 1297588976.2340.17.camel@computer2.home> <[🔎] 20110213105539.GE18225@think.homelan> <[🔎] 1297596912.2916.35.camel@computer2.home> <[🔎] 20110213130214.GI18225@think.homelan> <[🔎] 1297606152.2571.62.camel@computer2.home> <[🔎] 4D5901AC.2070406@plouf.fr.eu.org> <[🔎] 1297755103.2375.26.camel@computer2.home>

Tixy a écrit :
> On Mon, 2011-02-14 at 11:19 +0100, Pascal Hambourg wrote:
>> Tixy a écrit :
>>> The server uses PPPoE to talk to the modem, which translates this into
>>> PPPoA to get to my IPSs equipment.
>>
>> Are you sure of this ? Isn't your modem rather working as a plain
>> ethernet bridge, just transparently forwarding the PPPoE traffic between
>> its ADSL and ethernet ports ? If so, then it is an obvious security
>> breach : it is a plain ethernet switch connecting your LAN to the
>> outside world.
> 
> Thinking about this some more. Even with PPPoE, I can't imagine that the
> DSLAM in the exchange would be set up to pass and route Ethernet frames
> down my phone line which had MAC addresses of machines on my private
> network or which were broadcast packets.

I beg to differ. I can imagine anything about an external device which
is out of my control, and wouldn't base the security of my LAN on
optimistic assumptions.

If an attacker takes over the DSLAM, it can first listen to your LAN
broadcast traffic leaking through the bridge modem and learn the MAC and
IP addresses of hosts on your LAN from it. Then it can communicate
directly with them using this information.

Is it unlikely ? Yes.
Is it impossible ? No.
Is it easy to protect against ? Yes, just isolate the modem from the LAN.

> Seems like that leaves the telco network open to abuse.

Telco networks have been cracked and abused. It has happened, it will
happen again.

> Even if the telco network did this, would a home modem just pass these
> frames through transparently to its Ethernet port? 

Yes. As a I wrote, a bridge modem works as an ethernet switch. It does
not care whether ethernet frames carry PPPoE, IP, or any other protocol.

> Also, from an efficiency point of view, why send a 48 bits destination
> MAC addresses down my phone line with each frame? (Or even a source
> address?).

Because that is the way ethernet works. There may be several stations
each with a different MAC address at each end of the line. Bridge modems
are not used only for point-to-point protocols such as PPPoE.

Reply to:

References:
- Hardware needed for home network
  - From: Jason Hsu <jhsu802701@jasonhsu.com>
- Re: Hardware needed for home network
  - From: Chris Davies <chris-usenet@roaima.co.uk>
- Re: Hardware needed for home network
  - From: Tixy <tixy@yxit.co.uk>
- Re: Hardware needed for home network
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: Hardware needed for home network
  - From: Tixy <tixy@yxit.co.uk>
- Re: Hardware needed for home network
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: Hardware needed for home network
  - From: Tixy <tixy@yxit.co.uk>
- Re: Hardware needed for home network
  - From: Andrei Popescu <andreimpopescu@gmail.com>
- Re: Hardware needed for home network
  - From: Tixy <tixy@yxit.co.uk>
- Re: Hardware needed for home network
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
- Re: Hardware needed for home network
  - From: Tixy <tixy@yxit.co.uk>

Prev by Date: Re: xterm question
Next by Date: Re: How do I downgrade my gdm ?
Previous by thread: Re: Hardware needed for home network
Next by thread: Re: Hardware needed for home network
Index(es):
- Date
- Thread