Mark Barlow <Mark.Barlow@telecom.co.nz> wrote:

> All I can say is that I am surprised it took this long!

Hahahaha!!! I had to wonder if anyone there would be listening... well,
now I know that you know and you don't seem too bothered, which
surprises me a little, I'm not going to keep my findings so close to my
chest.

Then, Oliver Mannion <olly@techie.com> wrote:

> In the configuration as shipped from Telecom, management
> is allowed on the ENET & IP-Direct ip interfaces, not the
> PPP interface. This prevents anyone from the internet
> connecting to the shell of the m10.

This is correct. If you read the release notes of the R2 software you
will see the option 'admin-only' on the DSL-VCC interface. I guess
Telecom is not aware, because their configuration does not use this,
instead restrictions is set to 'none' and address mapping is on, which
means if you have Pinhole entries covering the Telnet and HTTP ports
their attempts to get into your M10 will be redirected by the Pinhole.
This is one way to stop them from getting into your M10, another is turn
off VCC 2. I have tried hard to come up with a good reason to stop them
getting in but all I can see this will do is stop you getting upgrades
of the software and as I am a bit of a version bunny I don't mind if
they do that.

Anyone who has firmware older than 5.1.3 R2 with a Pinhole covering
Telnet & HTTP can disable the address-mapping on the DSL-VCC interface
to allow Telecom in to upgrade their firmware.

I'm guessing that when Mark says 'stuff your config up' that could
include disabling VCC 2.(?)

> However someone on the IP-Direct side (where does this go??

This is controlled at the DSLAM and Telecom can point the other end of
this anywhere they like on their ATM network. I believe the intention
here is to provide remote flash upgrades etc.

> So it comes down to, do you trust the users of your lan? If not,
change the admin password.

If you're going to do this you should expect to upset the people at
Telecom trying to administrate your M10 who will probably want to know
why (and how) you did this which could cause a huge (I used to work for
Telecom so I know what huge in their terms means) political shit-storm,
and I can see the JetWiz utility being removed and your M10 -and
probably everyone elses- will be replaced with one that has a new admin
password. I know from the dude that was supposed to install my ADSL -* I
did this myself because I didn't want to wait three weeks for their next
available appointment, how's that for a show of technical prowess for an
ego boost *- that he has had to replace M10s because the DSL-VCC
interface was not working.

This whole VCC DSL interface thing makes me wonder how they track where
each M10 is so that if an M10 appeared on a line that was installed with
a SpeedStream 3020 would it get further EEPROM upgrades?.. and if a
ENI3020, which does not have a DSL-IP interface configured, appeared
where an M10 was installed would you get a call from Telecom asking when
they can come around to replace your faulty M10?

> Do you trust telecom or anyone on the IP-Direct interface?

My only consideration here is someone from that interface hacking into
my network, but with my pinhole they can't do much more than someone
from the rest of the planet which is of greater concern than Telecom.

Jeremy.

To unsubscribe: send mail to majordomo@freebsddiary.cx
with "unsubscribe adsl" in the body of the message
Received on Tue Jan 25 02:57:38 2000