Mpd-4.2 released.
Alexander Motin
mav at freebsd.org
Wed Jun 27 12:08:42 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ovi wrote:
> Also as you know
> PPPoE is vulnerable to arp poisoning and to DoSs. Having a small network
> with 10-20 computers using mpd is easy, but having 2000 users or more,
> things changes, problems appears. Solving arp poisoning or DoS attack
> (sometimes caused by a burned switch port which mixes RX with TX) I
> thing can be done using a Layer2 managed switch, with ACLs, I will try
> and I'll inform you.
Even if pppoe have some DoS weaknesses it also have some protection
mechanisms against it. It's a pity but ng_pppoe originally implements
protocol in a way which does not allow this protection to be effectively
used.
As I have told 4.2 release contains overload protection which should
also help against DoS attacks. I am not sure it will be able to handle
100Mbit/s flood of PADI requests from broken switch, but should avoid
mpd freeze in such case.
> When having many users, it is useful to have high availability, so it
> would be nice and useful to setup multiple pppoe servers . I've tried
> that, using a router, connected
> to 2 pppoe servers, and at every pppoe connection, a route was added to
> the router and when user disconnected, the route was deleted from
> router. This is still a buggy implementation, we had problems messing
> up routing table.
Having several PPPoE servers in one segment is a normal solution
protocol. It is not so efficient now as it could be due to ng_pppoe
implementation problem I have told, but it still should increase
performance and stability.
What is about routing problems, you just should find good dynamic
routing solution. I have successfully working network with hundred PPPoE
servers and many thousands of users with routing successfully managed by
quagga bgp.
- --
Alexander Motin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGglNH0kCgngV3usoRAoANAJ9k2lRBnR8VtWu4pm1BhiQKwrimuQCgkTEE
oY83aUVdgXzPITM/ea4cTK8=
=Sk3P
-----END PGP SIGNATURE-----
More information about the freebsd-net
mailing list