Comprehensive Explanation of broadband access network security issues

Users who use the broadband access network will encounter many problems, especially regarding security. Here we will introduce the solution to the security problem of the broadband access network, and share it with you here. In the past 10 years, broadband access networks have been booming around the world. More and more individual and enterprise users are accessing the Internet through broadband access. At the same time, users have higher and higher requirements on network performance. They are no longer able to provide smooth and high-bandwidth access capabilities, and gradually put forward higher requirements on service quality. In QoS, security assurance is an important indicator that cannot be ignored.

1. Broadband Access Security Issues

The rapid development of broadband access networks doubles the number of broadband users, but also greatly increases the possibility of security attacks on the network. Especially after the introduction of Ethernet and IP technologies, the security of access networks is becoming increasingly prominent. Because the Ethernet is a shared network, its advantages and disadvantages are obvious. Currently, many hacker tools on the network can be used to make waves over Ethernet: Listening to others' information, stealing services, and initiating DOS attacks [1], resulting in network device paralysis. Due to historical reasons, the security design of the IP network was not considered much at first. Most of the services on the IP network are done through smart terminals. The main function of the intermediate equipment under the control of the operator is to exchange, and the operator is hard to control the services, this provides a space for malicious users to carry out destructive activities.

To provide "telecom operation-level" access networks, provide users with secure access services, detect illegal services, and ensure the normal operation of network equipment, currently, it is a common concern of equipment providers and telecom operators [2-3]. At present, the broadband access network technology shows a variety of trends, including digital user line (DSL), hybrid optical/coaxial cable (HPC), passive optical network (PON) and WiMax wireless access, etc, they all have a network architecture shown in 1: the architecture of the broadband access network includes the following components:

(1) User-Defined Networks
A user-defined network is a local network composed of a home gateway, which is physically owned by the user. DSL is currently the most common user access method.

(2) Access Node
The Access Node completes the physical termination of the user cable, or the termination of the wireless channel, to achieve the convergence of user data, to meet the needs of high-density, multi-form access. The Access Node is the closest to the user and the edge of the operator's network. It is the first threshold for security protection. Access nodes play an important role in access network security issues.

(3) Ethernet convergence Network
Due to the outstanding cost performance, Ethernet is favored by operators. Furthermore, Ethernet is also responsible for gathering data and exchanging data within the network.

(4) Broadband Network Gateway
The Broadband Network Gateway provides many functions: terminating the Ethernet layer and its corresponding encapsulation, user authentication (combined with the authentication server), automatic configuration of the user end, and QoS service guarantee. Physically, A Broadband Network Gateway can be either a device or multiple devices. It can be used to implement a broadband access network remote server, Dynamic Host Configuration Protocol (DHCP) server (or DHCP repeater) and router functions.

Access nodes, Ethernet convergence networks, and broadband network gateways belong to carriers. These devices or networks are trusted to operators. The user's own network is owned and used by the user. For carriers, user-defined networks are untrusted. Most security threats come from attacks by malicious users or programs in untrusted networks. Of course, sometimes security problems also arise from trusted domains, such as security problems caused by unstable devices. However, security problems mainly come from the security threats of untrusted domains to trusted domains. In summary, the access network has the following security issues:

(1) illegal user access.
(2) illegal messages and malicious messages are sent.
(3) Media Access Control (MAC)/IP Address Spoofing, for example, fraudulent use of MAC addresses or IP addresses, stealing of others' business services or resulting in DOS attacks.
(4) illegal services, such as carrying out illegal IP Voice (VoIP) services and privately connecting users. Next we will discuss the above problems and their corresponding solutions in turn.

2. illegal user access

Illegal user access is serious, which directly affects the operator's operating income. If users are not identified and authenticated, a large number of illegal user access will exist. User identification and authentication technology has been very mature, Ethernet-based Point-to-Point Protocol (PPPoE), DHCP + Web and 802.1x protocols have been widely used. Currently, the industry is concerned with the recognition of user ports (also known as user lines. In the retail mode, each user has a logical port at the Access Node, A Hard port in the Wired environment, and a soft port in the wireless environment. If the authentication server only uses the user name to identify the user, the user can share the user name and password with other users, and other users can access the Internet through this logical port, this is what the operator does not want to see and will reduce the operator's operating income.

When the ATM-based Point-to-Point Protocol (PPPoA) is the main access method, the user virtual channel (VC) ends on the broadband access network remote server (BRAS). Therefore, the user's port information can be obtained directly on BRAS. Currently, PPPoE and IPoA are the main access methods. In these two access modes, the user line is physically terminated at the Access Node; the VC information is either terminated at the access node or not at all, therefore, BRAS cannot directly obtain the user's port information. Therefore, there must be an effective mechanism to pass the user port information at the Access Node to BRAS. At present, there are multiple user port (or user line) Identification solutions proposed:

(1) DHCP option82 Protocol
DHCP Option82 (RFC3046) protocol is expanded based on DHCP (RFC2131. The Access Node must intercept upstream and downstream DHCP packets and act as a layer-2 DHCP relay proxy. In the upstream direction, insert the port information (that is, uPortID) to the Option82 field of the Protocol. In the downstream direction, strip the information of this field (optional ).

(2) PPPoE + Protocol
The PPPoE + protocol is also called the PPPoE intermediate proxy. Similar to DHCP Option82, it expands the PPPoE protocol packets. The Access Node intercepts protocol packets in the PPPoE search phase and inserts port information in the upstream direction.

(3) VBAS Protocol
The VBAS protocol and PPPoE + are slightly different. The VBAS protocol modifies the PPPoE process. In the user-to-BRAS protocol interaction, the interaction between the BRAS and the Access Node is inserted to obtain port information.

(4) Virtual LAN Stack
The VLAN Stacking (VLAN Stacking) uses dual tags and uses the inner VLAN to uniquely identify user port information.

(5) virtual MAC
VMAC translates the source MAC address of each user data packet according to specific rules. The translated MAC address contains the user port information. In this way, BRAS can directly obtain user port information from the source MAC address information during PPPoE protocol interaction.