New standard needed for PPPoEoE modems

Computers & Hardware > Networking

<< < (3/3)

Weaver:
I am thinking of something that is just zero-config though and allows modems to just work with the same level of easy access to resources as WAPs do.

chenks:

--- Quote from: Weaver on July 04, 2018, 09:44:20 PM ---I am thinking of something that is just zero-config though and allows modems to just work with the same level of easy access to resources as WAPs do.

--- End quote ---

a modem essentially sits outside the network though, so you'll never have them working the same as a WAP.

Weaver:
@chenks that is just what my idea is designed to address, to give a modem a pipe back to the router and let it sit on the inside of the LAN as well, an auto-configured back-channel that gets set up as part of PPPoE extended setup, and an auxiliary channel can carry traffic meant for the modem itself back into the router (and the reverse direction). The modem acquires an address by a choice of various methods, applying to the router as a normal LAN-side box does.

j0hn:
Would be a bad idea imo.
The modem isn't meant to have access anything WAN side and I'd rather keep it like that.

I should have to set the static route I have to accomplish this.

Weaver:
@j0hn I could hopefully fix your objection by making sure there were on/off switches in the spec. The modem would be logically positioned by the proposed system inside the firewall, despite appearances, so it would have the same protection as any box on the LAN. As well as a total on/off switch, I would add individual internet access on/off and LAN access on/off switches. The defaults would be to deny internet access and deny access to and from boxes on the LAN. You could configure a system so the modem could be allowed access to services provided by the router but that is all, or router plus internet, or any other combination of options.

Access controls should be implemented twice, on the router as well as in the modem, with the modem and router both consulting these flags. The router should apply access blocking according to the flags in case of a compromised modem. To really go to town, as well as packet filtering to apply these controls, the modem could be denied appropriate classes of addresses, so for example the modem might only acquire a link-local address or no IP addresses at all, and the router might not publish RA and DHCP to the modem. Such a lack of addresses might make things a bit more difficult for a compromised modem to get going with some nefarious project.

I think that with some care, security worries could be handled responsibly.

I would like to explore the case where only the modem has the code to support this and the router does not, but is hand-configured to give some or all of the services and types of access that the modem desires. The modem should just handle this half-manual case smoothly and do the right thing. The bad things here are inconvenience and possibly lack of functionality, as the user has the usual pain of having to work out how to configure the router, if this can even be achieved at all.

I just think about the amount of struggle, and brain ache and the number of half-working systems lying around. Once a number of example modules have been written for a modem and a router and a spec is written up I hope this would just make life incredibly straightforward for the two-box user.

Navigation

[0] Message Index

[*] Previous page

Go to full version