From owner-freebsd-net@FreeBSD.ORG Wed Jun 27 12:08:42 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A580E16A400 for ; Wed, 27 Jun 2007 12:08:42 +0000 (UTC) (envelope-from mav@freebsd.org) Received: from cmail.optima.ua (cmail.optima.ua [195.248.191.121]) by mx1.freebsd.org (Postfix) with ESMTP id 2A59413C44C for ; Wed, 27 Jun 2007 12:08:41 +0000 (UTC) (envelope-from mav@freebsd.org) X-Spam-Flag: SKIP X-Spam-Yversion: Spamooborona 1.7.0 Received: from orphanage.alkar.net (account mav@alkar.net [212.86.226.11] verified) by cmail.optima.ua (CommuniGate Pro SMTP 5.1.10) with ESMTPA id 24472300; Wed, 27 Jun 2007 15:08:41 +0300 Message-ID: <46825347.1030206@freebsd.org> Date: Wed, 27 Jun 2007 15:08:39 +0300 From: Alexander Motin User-Agent: Thunderbird 2.0.0.0 (X11/20070424) MIME-Version: 1.0 To: Ovi References: <468135BF.8010407@freebsd.org> <20070626214936.GC79335@zone3000.net> <4681A062.9040009@freebsd.org> <468245F8.1090709@unixservers.us> In-Reply-To: <468245F8.1090709@unixservers.us> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, mpd-users@lists.sourceforge.net Subject: Re: Mpd-4.2 released. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jun 2007 12:08:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ovi wrote: > Also as you know > PPPoE is vulnerable to arp poisoning and to DoSs. Having a small network > with 10-20 computers using mpd is easy, but having 2000 users or more, > things changes, problems appears. Solving arp poisoning or DoS attack > (sometimes caused by a burned switch port which mixes RX with TX) I > thing can be done using a Layer2 managed switch, with ACLs, I will try > and I'll inform you. Even if pppoe have some DoS weaknesses it also have some protection mechanisms against it. It's a pity but ng_pppoe originally implements protocol in a way which does not allow this protection to be effectively used. As I have told 4.2 release contains overload protection which should also help against DoS attacks. I am not sure it will be able to handle 100Mbit/s flood of PADI requests from broken switch, but should avoid mpd freeze in such case. > When having many users, it is useful to have high availability, so it > would be nice and useful to setup multiple pppoe servers . I've tried > that, using a router, connected > to 2 pppoe servers, and at every pppoe connection, a route was added to > the router and when user disconnected, the route was deleted from > router. This is still a buggy implementation, we had problems messing > up routing table. Having several PPPoE servers in one segment is a normal solution protocol. It is not so efficient now as it could be due to ng_pppoe implementation problem I have told, but it still should increase performance and stability. What is about routing problems, you just should find good dynamic routing solution. I have successfully working network with hundred PPPoE servers and many thousands of users with routing successfully managed by quagga bgp. - -- Alexander Motin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGglNH0kCgngV3usoRAoANAJ9k2lRBnR8VtWu4pm1BhiQKwrimuQCgkTEE oY83aUVdgXzPITM/ea4cTK8= =Sk3P -----END PGP SIGNATURE-----