Manualshelf

User guide

ManualsBrandsEricsson ManualsComputer equipmentECN330
919293949596979899100
Security
1/1551-HSC 901 35/3 Uen C 2005-12-02
91
The basic principle of virtual MAC addresses is that the IP DSLAM
performs address translation of MAC addresses. The IP DSLAM pre-
assigns a number of potential MAC addresses to be associated with the
real MAC address from the end-users equipment for example a PC or a
STB (Set Top Box) for video service.
The IP DSLAM maps between the MAC addresses received from the end-
users equipment and the locally administered MAC (Virtual MAC) address
used in the Ethernet Access Domain.
For upstream traffic the source MAC address from the end-user is replaced
with its corresponding locally administered address and just forwarded
toward the aggregation switch. For downstream traffic the locally
administered address is replaced with its corresponding end-user MAC
address and forwarded towards the ADSL line.
In this way, it does not matter if multiple end-users equipment is configured
with the same MAC address (spoofing); the addresses are never used
within the Access Domain.
Virtual MAC addresses are statically assigned by the IP DSLAM and allow
the operator to control and limit the number of equipment (PCs) the end-
user is able to connect to the ADSL line (per PVC). It makes it possible to
identify the end-users traffic in the EDA access network by looking at the
virtual MAC address in the Ethernet frame, since this is traceable to the
specific PVC on the end-users ADSL line.
The Virtual MAC is an optional feature to prevent MAC spoofing.
9.5 Encryption and Tunneling
The Access Domain interfaces to other data network that may be subject to
hacking attacks. An attacker may intercept the traffic sent over the external
network, or he may try to access the EDA system via that network.
To protect the EDA network and traffic from external attackers the
communication via external networks can be protected. The keywords here
are tunneling and encryption.
Between the Access Domain and remotely located service providers the
traffic is sent in tunnels. For example, the PPP sessions may be tunneled to
a remote service provider.
The communication between the Access Domains and the Operation
Center can be protected using secure VPN connections.
Even if the EDA access node is considered secure the subscriber traffic
may be snooped on the public Internet. A solution to this is VPN.