-On machines which don't have a default route, the default ppp
-installation does not require the peer to authenticate itself. The
-reason is that such machines would mostly be using pppd to dial out to
-an ISP which will refuse to authenticate itself. (Yes, it's still a
-security hole, which will hopefully be fixed in the next version.)
+On machines which don't have a default route, pppd does not require
+the peer to authenticate itself. The reason is that such machines
+would mostly be using pppd to dial out to an ISP which will refuse to
+authenticate itself. In that case the peer can use any IP address as
+long as the system does not already have a route to that address.
+For example, if you have a local ethernet network, the peer can't use
+an address on that network. (In fact it could if it authenticated
+itself and it was permitted to use that address by the pap-secrets or
+chap-secrets file.)