|
ru.nethack
- RU.NETHACK -------------------------------------------------------------------
From : Viktor 2:5020/400 07 Apr 2005 01:05:44
To : Alexander Burylov
Subject : Re: Перехват паролей при поключении к PPPoE концентратору.
--------------------------------------------------------------------------------
Hello, Alexander!
Alexander Burylov пишет:
> Кто может помочь или что-то подсказать по данной пpоблеме?
Прошу прощения, поскольку ответа по сути не имею. Hо есть мысль, что
можно найти интересующую вас инфрмацию в RFC 3817, если вы еще к нему не
обращались, конечно. Там есть совет по улучшению безопасности PPPoE
сервиса в ненадежной сети. Hасколько это коррелирует с вашей конкретной
проблемой определить затруднюсь - к стыду своему мой английский довольно
плох (слышу "звон", в основном), ;-( да и PPPoE, увы, изучать не
приходилось.
Выдержка:
Townsley & da Silva Informational [Page 10]
RFC 3817 L2TP Relay for PPPoE June 2004
5. Security Considerations
PPPoE has a number of known security weaknesses that are not
described here. For example, an intruder between a PPPoE Host and a
PPPoE AC who can observe or modify PPPoE Active Discovery traffic has
numerous opportunities for denial of service and other attacks. The
use of the L2TP extensions described here makes it possible to tunnel
PPPoE discovery packets between the LAC and LNS, extending the path
which the PPPoE Active Discovery packets are transported. There are
two possible implications of this. First, the tunneled packets may
now be observable by an intruder having access to traffic along the
L2TP tunnel path. This MAY make information regarding service
offerings or host identity easier to obtain to a rogue party given
that it is being sent over a wider variety of media, and presumably
over a longer distance and/or more hops or administrative domains.
Whether this information could be used for malicious purposes depends
on the information contained within, but it is conceivable that this
could be sensitive information, and this mechanism increases the
possibility that this information would be presented to an
interloper. Second, it may also be possible for an intruder to
modify PPPoE Active Discovery traffic while it is being carried
within L2TP control messages.
There are at least two methods defined to help thwart this inspection
or modification by an unauthorized individual. One of the two MUST
be used if the service discovery information is considered to be
sensitive and is traversing an untrusted network. The first
suggested method is AVP hiding described in [2]. This may be used to
hide the contents of the packets in transit, though offers no
integrity protection against modification of data in the AVP. The
second and more secure method is protecting L2TP with IPsec as
defined in [6].
--
wbr, viktor
--- ifmail v.2.15dev5.3
* Origin: AAA Intersvyaz (2:5020/400)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
|
Re: Перехват паролей при поключении к PPPoE концентратору. 
