From: Fletcher E Kittredge (no email)
Date: Tue Jun 26 2001 - 10:43:03 EDT
On Mon, 25 Jun 2001 18:27:50 -0700 Ted Lemon wrote:
> > I think we are in violent agreement. I don't like the
> > IP->MAC->Customer mapping, it is forgeable, but it is the only one I
> > know we have available. I agree with you that it is not the only
> > possible mapping. If you can point me to a better existing mechanism,
> > I would be greatful.
> If you are a cable modem or DSL provider, you may be able to use the
> relay agent information option to get a unique ID from the cable
> modem. This should uniquely identify the customer, and has the
> virtue that you may have sold the customer the box, and thus may
> already know its ID. Cable modem and DSL systems that support this
> functionality can apparently be set up so that it's quite difficult to
> spoof the modem identification.
That works for the cable/dsl/wireless modem. As always, there
are some unstated assumptions that come with the particular
engineering sub-niche. The unstated assumption here is that the
problem is not the modems, but the devices beyond the modem, the
devices that the customer actually uses: PCs, routers, ip-aware
toasters, web cams, etc. These are the devices that tend to cause the
most problems. They have an enormous range of different
manufacturers. Customers, those pesky folk, tend to add/modify/delete
Also, if the cable/dsl/wireless modem is a router, life
becomes much simpler as one can just gather the necessary information
via tracing. However, I am not sure requiring modems to be routers is
a good thing...
Let me stress in passing, it is very important that public
(non-RFC 1918) IPv4 addresses not be wasted on cable/wireless/dsl
modems. There is no reason for these modems to be reachable from the
outside world (in an IPoE environment) and reachability is actually
dangerous. If you waste public IP addresses on these devices,
eventually ARIN will step on your head.
> Now, in this case and also in the case of tracking the customer's MAC
> address, you are still really tracking access at a customer premise
> level, not at a user level, and so this couldn't be used as a reliable
> way of identifying an individual user, but it *could* be used as a way
> of figuring out who to contact to get more information.
Exactly. It isn't an optimal solution. However, Caller-Id and
username/password have the same drawbacks. In fact, I once was an
expert witness on the question of whether username/password was
sufficient proof beyond a reasonable doubt.