Customer use PPP as access model. If capture packets at client side we can read at "PPP LCP Reject" packet snmp community name that was configured at ME60. This is real security challenge if evereone will know such kind parameter. At ME60 use version V100R006C05SPC600.
part of SNMP configuration from ME60 is:
snmp-agent local-engineid 000007DB7FFFFFFF00004407
snmp-agent community read huawei12345 acl 2000
See attached example of packet. This packet that send ME60 to client and have readable string "huawei12345". This string didn't belong any RFC fields of PPP LCP packet.
Version V100R006C05SPC600 use following algorithm: if PPP packet’s length is less than 60 bytes, ME60 will use part of the content in the memory to make the length longer to 60 bytes (also such process called padding). This site happened to just used the content of memory which contains the snmp community name. V6R2 don’t have this problem, because the mechanism has been changed in V6R2. Also as workaround use following: undo snmp configuration and restored it again, high probability exist that for padding packet ME60 wil use anither part of memory.