On Mon, 25 Jun 2001 18:27:50 -0700 Ted Lemon wrote:
I think we are in violent agreement. I don't like the IP->MAC->Customer mapping, it is forgeable, but it is the only one I know we have available. I agree with you that it is not the only possible mapping. If you can point me to a better existing mechanism, I would be greatful.
If you are a cable modem or DSL provider, you may be able to use the relay agent information option to get a unique ID from the cable modem. This should uniquely identify the customer, and has the virtue that you may have sold the customer the box, and thus may already know its ID. Cable modem and DSL systems that support this functionality can apparently be set up so that it's quite difficult to spoof the modem identification.
Ted; That works for the cable/dsl/wireless modem. As always, there are some unstated assumptions that come with the particular engineering sub-niche. The unstated assumption here is that the problem is not the modems, but the devices beyond the modem, the devices that the customer actually uses: PCs, routers, ip-aware toasters, web cams, etc. These are the devices that tend to cause the most problems. They have an enormous range of different manufacturers. Customers, those pesky folk, tend to add/modify/delete them constantly. Also, if the cable/dsl/wireless modem is a router, life becomes much simpler as one can just gather the necessary information via tracing. However, I am not sure requiring modems to be routers is a good thing... Let me stress in passing, it is very important that public (non-RFC 1918) IPv4 addresses not be wasted on cable/wireless/dsl modems. There is no reason for these modems to be reachable from the outside world (in an IPoE environment) and reachability is actually dangerous. If you waste public IP addresses on these devices, eventually ARIN will step on your head.
Now, in this case and also in the case of tracking the customer's MAC address, you are still really tracking access at a customer premise level, not at a user level, and so this couldn't be used as a reliable way of identifying an individual user, but it *could* be used as a way of figuring out who to contact to get more information.
Exactly. It isn't an optimal solution. However, Caller-Id and username/password have the same drawbacks. In fact, I once was an expert witness on the question of whether username/password was sufficient proof beyond a reasonable doubt. regards, fletcher