User guide
Security
90
1/1551-HSC 901 35/3 Uen C 2005-12-02
other party’s IP address is located within the same subnet, then the sender
can obtain the destination MAC address by an Address Resolution Protocol
(ARP) request.
The Access Domain Ethernet enables direct communication between EDA
subscribers on layer 2. This can be considered an advantage in terms of
efficiency, compared to the alternative of routing all communication via
some IP router at the top of the Access Domain hierarchy. However, the
direct communication enables subscribers to perform attacks that are
normally not associated with a DSL access system. An example of this is
manipulation of ARP tables in the CPE, with the purpose of intercepting
traffic to and from the subscriber.
Figure 58 Layer 2 Separation and Visibility
Thus, in some access scenarios it is necessary to prevent direct layer-2
communication between subscribers. Instead, all traffic must be transmitted
via an IP router, as indicated in Figure 58 on page 90.
Forcing the upstream subscriber traffic via a router can be done in different
ways. The EDA System operates with four different methods: PPP, VLAN
and Forced Forwarding.
Virtual MAC Address
To prevent MAC spoofing and to be able to uniquely identify an end-user in
the EDA access system, the EDA solution offers the use of the function
called virtual MAC address.