Manualshelf

User guide

ManualsBrandsEricsson ManualsComputer equipmentECN330
919293949596979899100
Security
88
1/1551-HSC 901 35/3 Uen C 2005-12-02
The encoding is used by Cisco for a number of routers, which supports the
relay agent information scheme.
With this configuration only the second sub-option, Remote Agent ID, is
used. A total of 16 bytes are inserted, where the contents of each byte have
been defined in advance.
Even though the Cisco configuration is used with routers, the encoding is
still relevant for the EDA system, and the requirement from RFC 3046
concerning a global unique Remote Agent ID is still fulfilled.
The Customer Number will be an ASCII String using bytes x1, x2, x3 and
so on. Since the IP DSLAM acts as a bridge and not as a router, a few
deviations from RFC 3046 will be made:
If a DHCP request from a subscriber already contains an option 82
identifier the Ethernet packet is not discarded. The unique identifier is
replacing the original to prevent spoofing of the DHCP request.
9.4 IP DSLAM Security Mechanisms
The bridging function of the IP DSLAMs virtually creates a common
Ethernet covering both the Access Domain Ethernet and the CPE LANs.
While this creates simple and flexible network architecture, it also
introduces some potential security issues to be addressed by the EDA
system.
The nature of a broadcast media like Ethernet implies that information is
distributed to multiple entities connected to the media, including to some
that are not intended as receivers. This may be acceptable in a corporate
LAN environment, but in an access scenario like EDA, it must be possible
to ensure that subscribers will only receive information that is explicitly
intended for them. A key entity here is the IP DSLAM, which is able to
perform filtering and other functions that ensure security and privacy.
9.4.1 Filtering
By introducing filtering in the IP DSLAM it is possible to control the traffic to
and from EDA subscribers, thereby restricting the types of frames/packets
forwarded by the IP DSLAM.
The filtering policy can be based on a wide set of rules. Consequently, the
filter may be tailored to a specific deployment scenario, and it can be
updated on the fly if a security risk is discovered after installation. The filters
are configurable individually per PVC.