On Thu, 29 Oct 2009, Frank Bulk - iName.com wrote:
Others commented on things I already had in mind only the username/password
thing of PPPoE. We use the same username/pw on the modem as the customer
users for their e-mail, so a password change necessitates a truck roll (I
know, I know, TR-069). We started with PPPoE for our FTTH, because we were
familiar with it, but we moved over to a "VLAN per service" model which ends
up something like RBE in function. We can track customers based on the
Option 82 info, so we're good to go in terms of tracking them.
You can have a "network username/password" for the customer different
from the mail and other application-layer username/password. Some ISPs
did that in the dial-up days, and also with PPPOx. The network account
information is configured in the dialer or router/modem; and most users
never need to know the network-layer stuff. The user can change their
mail/application password (and use it for off-network access) without
affecting their network-layer pasword.
The same network account may have multiple mail/application accounts
associated with it. It also helps in the debate whether you store
unreversable passwords or cleartext passwords for things like CHAP/PAP;
need to split accounts because people change households; network
re-architecture moves circuits around or users move and re-associating
the connections with the correct accounts. Yep, I sometimes found two
households with swapped VPI/VCI, VLAN or PORT identifiers because
someone/something made a data entry or circuit termination mistake.
I like a combination of 802.1x and Option 82 as way of cross-checking,
and layer 2/3 anti-spoof protection. I also like handling network things
mostly at the network/hardware level, separate from the application layer
identity so the user changes aren't affected.
But there are almost always multiple ways to solve a problem.