IP Technical question

Clive D.W. Feather ukcrypto at chiark.greenend.org.uk
Tue, 27 Jan 2009 19:09:16 +0000 

Paul Barnfather said:
> How reliable is the mapping of subscriber account to the point of
> physical access? The reason I ask is that I recently moved house to a
> house with a different phone number, but on the same local exchange.
> 
> At the new house I was somewhat surprised to find that my ADSL modem
> happily logged on to my old broadband provider using the login
> credentials from the old address. These login credentials were made up
> of <old phone number>@<old broadband provider>.net and a random
> password. This was before any account transfers, etc had taken place.
> 
> Given the above, can I assume that it is possible that another person
> (using ADSL login and password) could log in to my broadband service
> from any other phone line?
> 
> If that was to happen, would any such activity by a third party be
> associated with the physical phone line (which would presumably be OK,
> as they could spot the discrepancy), or my broadband account (which
> could potentially be a bad thing)?

The BT boxes use the bit after the @ to decide which ISP to connect to. The
main RADIUS server then passes over the login and password and waits for a
response. There is a second RADIUS server which offers a line identifier of
some kind, but it's carefully arranged so that the packets from the two
arrive at different times and are really painful to match up. So very few
ISPs bother.

Assuming the ISP is not using the line identifier, then as far as the ISP
is concerned all the customers are batched up into groups and there is no
way to tell which physical line within the group is being used. Each group
will have different arrangements at the ISP end - e.g. using a different
RADIUS server - and so you can't move credentials to a line in a different
group. The group size may be as small as a couple of exchanges or could be
as large as the whole country. With 21CN there are 20 handover points and
every exchange in the country is allocated to a fixed one of those 20, so
there are at least 20 groups and you can't move credentials to a line on a
different handover point. [The allocation isn't always obvious - most of
East Anglia is in one group but part of west central Norwich is in a
different one for good reasons.]

As far as the ISP is concerned, they are receiving fees from N customers
and paying BT for N lines. Provided each customer only logs on once at a
time, who cares where they are?

As far as BT are concerned, they are being paid by someone for every ADSL
line. So why should they care which ISP that line is currently connected
to?

-- 
Clive D.W. Feather     | If you lie to the compiler,
clive@davros.org       | it will get its revenge.
http://www.davros.org  |   - Henry Spencer