So then PPPoE will not help stop a virus on a single machine from taking down an access point? Can anyone confirm, as there are opinions both ways?
Depends on the virus.
PPPoE + bandwidth control makes sure that a customer can't push more than his share of bandwidth *through the PPPoE Server*.
Most network traffic is TCP, and TCP will automatically scale back the speed of a TCP session if it exceeds the bandwidth available.
So if we are talking about a virus that tries to spew copies of itself through TCP connections, the bandwidth control will in most circumstances limit the amount of bandwidth that the virus uses.
However, if we are talking about a DDoS trojan or any other application that spews ICMP or other traffic which does not check whether the packets reach their destination or are dropped at the PPPoE Server, then PPPoE doesn't help - the packets are dropped at the PPPoE Server, but the wireless segment is swamped by the traffic. As discussed above, the PPPoE Server has no way of telling the PPPoE client that it exceeds its bandwidth limit[1]. :-/
One advantage of PPPoE, though, is that it is easy to disconnect a customer if you discover that he has been infected (with Linux or *BSD you might even do this automagically with a bit of scripting).
Anyway. The only bullet proof way of making sure that a single client can't swamp the AP with traffic is to have some kind of bandwidth control on the CPE side.
[1] I seem to recall that I've read something about a PPP extention that adds this capability, but I am not aware of any wide spread use of it nor which servers/clients that might support it.
-- LarsG
The PART-15.ORG smartBridges Discussion List
To Join: mailto:[EMAIL PROTECTED] (in the body type subscribe smartBridges <yournickname>
To Remove: mailto:[EMAIL PROTECTED] (in the body type unsubscribe smartBridges)
Archives: http://archives.part-15.org
