Internet Access Russian Dolls

When the local Telco installed my blindingly fast 20 Mbps Internet-over-fiber-cable service, I was expecting to use DHCP on the router’s outside interface to connect to the Internet. After all, they’re running switched Ethernet VLANs over the fiber cable, and using DHCP seemed a logical choice. Imagine my surprise when I had to configure PPP-over-Ethernet (PPPoE) – it was as if I would be using a DSL connection, not a fiber-optic cable. Instead of running IP directly over switched Ethernet (like we’re doing in most networks), my IP packets get encapsulated in PPP frames. PPPoE headers are then prepended to the PPP frames and the resulting payload sent over switched Ethernet to the remote access server, almost like Russian dolls.

After I considered this seemingly weird choice for a while, though, using PPPoE for Internet access didn’t seem such a bad idea after all:

  • DHCP has no real authentication mechanism. While it’s possible to use MAC authentication, it’s a nightmare to manage; every time you replace your hardware, you have to call your ISP. The ISP might use 802.1X for authentication and DHCP for address allocation, but that would be just another untested combination of technologies. (My service also offers DSL connections, so using the same authentication mechanism on fiber-optic cable makes life easier.)
  • PPPoE sessions are point-to-point sessions. If you configure PPPoE and no IP address on your SOHO router’s outside interface, it’s harder for someone to inject packets into your data stream than it would be if you used a switched or shared LAN-like media (for example, cable Internet).
  • Terminated PPPoE sessions generate dynamic interfaces. You can apply QoS parameters (for example, policing or shaping) on these interfaces, implementing granular rate-limiting for individual customers. Doing something similar on a switched VLAN would be an administrative nightmare.

As with any solution, using PPPoE everywhere has its drawbacks, the most obvious being the CPU power you need to terminate the high-speed PPPoE sessions…but you probably don’t really care, as long as you have spare capacity. Anyway, my service is charging me €25 a month (around $37) for a highly reliable, unrestricted symmetric 20 Mbps Internet connection – and as long as the price/performance ratio stays the same, I wouldn’t care if they used IP over Avian Carriers to transport my data.

7 comments:

  1. Modern switches can use "option 82" to pass customer port number and "switch id" to DHCP-server. Dynamic ARP inspection and IP source guard can prevent "packet injection".
  2. IP over Avian Carriers is classical "long-haul" technology. For shorter distance RFC 1926 is better choice.
  3. Well, I'm a bit surprised that you are surprised about this... ;-)
    Here in Germany, Deutsche Telekom provides its customers FTTC-based VDSL-lines with IP-DSLAM's, so this is quite compareable, and they use PPPoE too.
    Honestly, I don't even know if any ISP uses DHCP for access lines here in Germany... (nearly 99,99% use PPP, PPPoE and / or PPPoA I guess)
    Another argument for this solution is that you can easily deploy MPLS-VPN's using the same concept. You just have to add a RADIUS-Attribute...
  4. like you say in fragments, much better for security

    the sad thing is, how many people are going to be running these connections on little crappy home-use routers whose cpu maxes out at 8-10mbps?
  5. This opens the market for dedicated high performance PPPoE optimized network adapters. :)
  6. @visir: Thanks. I learn something new every day :)

    @A#1: Definitely a better choice for Metro service. But I guess we need a newer version of the standard. If we'd switch to ultrasound (avoiding the range used by bats to decrease background noise), we could drastically increase the transmission speed.

    @A#2: I'm not surprised. Now I also know where my SP got this bright idea.

    @A#3: You're right ... but in the end, the SP always wins. They give you low-cost crappy router that cannot saturate the link you're paying for, so they lower the overall utilization.

    @A#4: I don't think this is an issue on any decent PC/workstation.

    And, please, would you finally start using nicknames. Trying to sort out replies to four anonymous commenters is not fun :D
  7. By "dedicated high performance PPPoE optimized network adapter" I mean PCI Express ten gigabit ethernet card with hardware acceleration for PPPoE able to transmit/receive and processing PPPoE frames at the full wirespeed. :)
Add comment
Sidebar