From owner-freebsd-security  Fri Nov 24 14:10:34 2000
Delivered-To: freebsd-security@freebsd.org
Received: from phalse.2600.com (phalse.2600.COM [216.66.24.2])
	by hub.freebsd.org (Postfix) with ESMTP id 29F4D37B4C5
	for <freebsd-security@freebsd.org>; Fri, 24 Nov 2000 14:10:30 -0800 (PST)
Received: from localhost (localhost [[UNIX: localhost]])
	by phalse.2600.com (8.8.8/8.8.8) with ESMTP id RAA25473
	for <freebsd-security@freebsd.org>; Fri, 24 Nov 2000 17:10:28 -0500 (EST)
Date: Fri, 24 Nov 2000 17:10:22 -0500 (EST)
From: Dominick LaTrappe <seraf@2600.COM>
To: freebsd-security@freebsd.org
Subject: Re: static ARP tables
In-Reply-To: <20001124174231.Z27042@speedy.gsinet>
Message-ID: <Pine.NEB.4.21.0011241617180.25280-100000@phalse.2600.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 24 Nov 2000 Gerhard Sittig <Gerhard.Sittig@gmx.net> wrote:
> You might be interested in the conf/23063 PR with the
> "[PATCH] for static ARP tables in rc.network" synopsis
> (http://www.freebsd.org/cgi/query-pr.cgi?pr=23063).

With software-set MAC addresses supported by a number of cards, this patch
does not provide much security.

(2)=Ethernet, (3)=IP.  If Mallory wants to play ARP games on your local
network, to get Alice(2) to talk with Mallory(2) when she really means to
talk with Bob(2), Mallory's ultimate plan is still for Alice(3) to talk
with Mallory(3).  Using IPsec AH all over this network will prevent
Mallory(3) from successfully sending IP packets with a source address
other than Mallory(3)'s.  (Specifically, the packet will be dropped by the
recipient.)  If this isn't enough, using IPsec ESP all over this network
will prevent Mallory(3) from understanding any IP packets not truly bound
for Mallory(3).  Now, all that Mallory(2) has done is caused a DoS.

Unless you can hardcode per-port MAC addresses into your switch, with
exactly one host interface connected to each port, using IPsec like this
is a good idea IMHO.  Of course, there are all kinds of devices, including
the common SoHo router, that don't support any kind of IPsec.  How to
prevent Mallory from masquerading as these is another story.

	||| Dominick




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message