DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 10th May 2008
ryoken ryoken is offline
New User
 
Join Date: May 2008
Posts: 6
Thanked 0 Times in 0 Posts
Question Modem PPPoE vs OpenBSD PPPoE

Looking at this page from the OpenBSD website:
http://www.openbsd.org/faq/faq6.html

=================================================
PPPoE/PPPoA

The Point to Point Protocol over Ethernet (PPPoE) is a method for sending PPP packets in Ethernet frames. The Point to Point Protocol over ATM (PPPoA) is typically run on ATM networks, such as those found in the UK and Belgium.

Typically this means you can establish a connection with your ISP using just a standard Ethernet card and Ethernet-based DSL modem (as opposed to a USB-only modem).

If you have a modem which speaks PPPoE/PPPoA, it is possible to configure the modem to do the connecting. Alternatively, if the modem has a `bridge' mode, it is possible to enable this and have the modem "pass through" the packets to a machine running PPPoE software (see below).

The main software interface to PPPoE/PPPoA on OpenBSD is pppoe(8), which is a userland implementation (in much the same way that we described ppp(8), above). A kernel PPPoE implementation, pppoe(4), has been incorporated into OpenBSD.

=================================================

With reference to the bolded paragraph above, is it more secure to allow OpenBSD to handle PPPoE authentication etc. (by setting modem to bridge mode), or is it better to allow the ADSL router/modem to handle all the PPPoE authentication stuff?
Reply With Quote
  #2   (View Single Post)  
Old 11th May 2008
osman osman is offline
Real Name: osman
New User
 
Join Date: May 2008
Location: Lahore, Pakistan
Posts: 9
Thanked 0 Times in 0 Posts
Default

Inase of NAT, dialing from modem is more secure cause it will be assigned live ip and your machine will be on private ip, behind nat.

usually pppoe dialing from machines/devices is more stable than dialing from cheap adsl modems. unless you have some modem like Speedtouch/Alcatel.

I work in a broadband ISP and many times we configure adsl modems in bridge mode and sometimes even we dont use any authentication method, cause alot of modems/devices/routers have not much good pppoe implementation.
Reply With Quote
  #3   (View Single Post)  
Old 12th May 2008
reuteler reuteler is offline
New User
 
Join Date: May 2008
Posts: 7
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by osman View Post
Inase of NAT, dialing from modem is more secure cause it will be assigned live ip and your machine will be on private ip, behind nat.
a very basic pf ruleset on the pppoe machine would more than make up for that and almost certainly be more secure than the NAT provided by the modem. if you're willing to put a little effort into it you can do some pretty cool things (bridging one interface to a routed block, nat'ing another to an internal space, etc). i'd recommend "The Book of PF" by Hansteen for inspiration. it's cheap and decent.

Quote:
Originally Posted by osman View Post
usually pppoe dialing from machines/devices is more stable than dialing from cheap adsl modems. unless you have some modem like Speedtouch/Alcatel.
and this is the best reason to do it. openbsd's kernel pppoe implementation is considerably more robust than most modems.
Reply With Quote
  #4   (View Single Post)  
Old 13th May 2008
ryoken ryoken is offline
New User
 
Join Date: May 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default

thanks for the suggestions osman and reuteler.

do you think security would be (slightly) improved if the openbsd box was behind the modem's NAT, with PF further protecting openbsd box?

sorry if that sounded confusing - what i meant was would having the openbsd box sitting behind the modem's NAT provide a second layer of security since the openbsd box isn't allocated an external IP address? so in effect, the internal LAN would be behind a "double-NAT"... or have i missed something?

im not too concerned about my modem's pppoe because it seems to be quite robust. whenever i lose ADSL line sync, the modem's pppoe/pppoa would automagically reconnect without fail. again, please correct me if i have missed something here as well.
Reply With Quote
  #5   (View Single Post)  
Old 13th May 2008
stukov's Avatar
stukov stukov is offline
Real Name: Jean-Michel Philippon-Nadeau
Package Pilot
 
Join Date: May 2008
Location: Sherbrooke, Qc, Canada
Posts: 167
Thanked 6 Times in 6 Posts
Default

It all depends on what your OpenBSD machine is going to do. If it is already a firewall/nat, I personally think adding another NAT behind is useless and only a management hassle... Otherwise, if you don't have a "front" firewall nor a NAT, the additional layer might be useful.
__________________
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction."
Reply With Quote
  #6   (View Single Post)  
Old 16th May 2008
ryoken ryoken is offline
New User
 
Join Date: May 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default

well since the openbsd box is acting as the firewall/nat/gateway, i guess i should set the modem to bridge mode. i gather that since the modem's firmwire isn't audited at all (compared to openbsd), there might be many (exploitable) bugs that im just unaware of. in the worst case, the username/password could be compromised from buggy firmware on the modem, right?
Reply With Quote
  #7   (View Single Post)  
Old 14th June 2008
Peter_APIIT Peter_APIIT is offline
New User
 
Join Date: Jun 2008
Posts: 9
Thanked 0 Times in 0 Posts
Default

I prefer to ahve PPPOE dialing in modem because this is much more flexible and secure.

I hope this help.

Thanks.

Last edited by Peter_APIIT; 14th June 2008 at 12:52 AM. Reason: Add some information.
Reply With Quote
  #8   (View Single Post)  
Old 14th June 2008
ryoken ryoken is offline
New User
 
Join Date: May 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Peter_APIIT View Post
I prefer to ahve PPPOE dialing in modem because this is much more flexible and secure.
why do you say that PPPoE dialling in-modem is more secure?
Reply With Quote
  #9   (View Single Post)  
Old 14th June 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Quote:
Originally Posted by Peter_APIIT View Post
I prefer to ahve PPPOE dialing in modem because this is much more flexible and secure.

I hope this help.

Thanks.
That's your opinion, the the PPPoE functionality is quite advanced on OpenBSD, security is there too.

I used it prior to switching to a more affordable cable solution.
Reply With Quote
Old 14th June 2008
Peter_APIIT Peter_APIIT is offline
New User
 
Join Date: Jun 2008
Posts: 9
Thanked 0 Times in 0 Posts
Default

Sorry to say that. Should be in PPPOE in OpenBSD.
Reply With Quote
Old 14th June 2008
ryoken ryoken is offline
New User
 
Join Date: May 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Peter_APIIT View Post
Sorry to say that. Should be in PPPOE in OpenBSD.
thanks for the clarification
Reply With Quote
Old 15th June 2008
ohauer ohauer is offline
Port Guard
 
Join Date: May 2008
Location: germany
Posts: 32
Thanked 2 Times in 2 Posts
Default

In the past i run OpenBSD PPPOE but i switched to modem PPPOE.
A good modem let you route all the traffic, so there is no NAT between the modem and the *BSD box.
You can the protect your BSD box easy with pf, also VPN with IPSEC works great behind a routing modem.


Two reason for me to switch from OpenBSD PPPOE to the modem PPPOE.

My provider beaks the line every 24 hours so my postfix apache and other deamons didn't work as expected.
I could bind them to a dummy or other interface and redirect with pf, but this hasn't stop the trouble.

IPSEC and ssh runs happy behind a routing modem with private IP (both directions).
Reply With Quote
Old 15th June 2008
ryoken ryoken is offline
New User
 
Join Date: May 2008
Posts: 6
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ohauer View Post
In the past i run OpenBSD PPPOE but i switched to modem PPPOE.
A good modem let you route all the traffic, so there is no NAT between the modem and the *BSD box.
You can the protect your BSD box easy with pf, also VPN with IPSEC works great behind a routing modem.


Two reason for me to switch from OpenBSD PPPOE to the modem PPPOE.

My provider beaks the line every 24 hours so my postfix apache and other deamons didn't work as expected.
I could bind them to a dummy or other interface and redirect with pf, but this hasn't stop the trouble.

IPSEC and ssh runs happy behind a routing modem with private IP (both directions).
That's a good point - I never thought about what would happen to the daemons if the PPPoE connection died. I take it you are using the kernel PPPoE rather than the userland one?
Reply With Quote
Old 15th June 2008
ohauer ohauer is offline
Port Guard
 
Join Date: May 2008
Location: germany
Posts: 32
Thanked 2 Times in 2 Posts
Default

Yes, you are right I used kernel PPPOE since it was more stable with my provider then userland PPPOE.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pppoe internet connection on another lladdr enaqx General software and network 3 4th July 2009 12:07 AM
pppoe kaschei OpenBSD General 2 20th May 2009 01:14 AM
PF and kernel-level PPPoE(4) gezley OpenBSD Security 3 15th May 2009 06:56 PM
PPPoE -> ADSL Router (Bridge) - Slow connect? DraconianTimes OpenBSD General 0 31st December 2008 01:07 PM
USB EV-DO modem support Bruco FreeBSD General 1 6th June 2008 09:50 PM


All times are GMT. The time now is 01:49 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick