Wireless broadband provider shares methodology for cheap login control: It ain't perfect, but it's an interesting way to prevent hijackers by using control mechanisms already available in operating systems and servers. I expect there are some security problems here I'm not spotting. It does prevent MAC spoofing -- not sniffing.
Finally a step in the right direction.
Now let's add Encryption via PPP and
we solved the WiFi Problem (e.g. ECP)
Well, PPPoE needs some authentication
for session termination and of course
some asymmetric Hotspot authentication.
This alleged solution actually isn't one. First, it's not new, second, it doesn't solve anything as is :-(
The first issue is that it uses PAP, which transmits passwords in cleartext, so anybody with a sniffer can get full credentials from legitimate users logging in.
Even using CHAP isn't enough: though better, it is still succeptible to attacks.
So, one needs a "strong" authentication method that isn't succeptible to attacks in this particular context.
Second problem: without encryption, it obviously can't prevent anyone from doing "MAC spoofing", even though it would be done slightly differently here. So, one needs encryption with at least per-user keys, at best per-session keys.
So, you need to use one of the usual strong auth methods that can derive keys: EAP-TLS, EAP-SRP, EAP-AKA, EAP-SIM or the combined PEAP+EAP-MSCHAPv2 or EAP-TTLS+EAP-MSCHAPv2, and PPP encryption.
Might as well use 802.1X and WEP with dynamic per-session keys: that are actually more implementations, and there is also less overhead and complexity.
Jacques.
I would look at the MPPE spec and enable that over PPPoE. It works - and is reasonably secure. Check this out (the article itself outlines most of what you can do, and the limitations).
Better than WEP, worse than most EAP, but it actually works now with zero client configuration, which is more than what you can say for just about any EAP variants right now...
This is cool if it gets OS-level support, but pray it doesn't go like the early competing PPPoE client stacks... the hell of dealing with the likes winpoet, macpoet, enternet, RASPPPoE is something I don't want to revisit.