Date: Fri, 24 Nov 2000 17:10:22 -0500 (EST) From: Dominick LaTrappe <seraf@2600.COM> To: freebsd-security@freebsd.org Subject: Re: static ARP tables Message-ID: <Pine.NEB.4.21.0011241617180.25280-100000@phalse.2600.com> In-Reply-To: <20001124174231.Z27042@speedy.gsinet>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 24 Nov 2000 Gerhard Sittig <Gerhard.Sittig@gmx.net> wrote: > You might be interested in the conf/23063 PR with the > "[PATCH] for static ARP tables in rc.network" synopsis > (http://www.freebsd.org/cgi/query-pr.cgi?pr=23063). With software-set MAC addresses supported by a number of cards, this patch does not provide much security. (2)=Ethernet, (3)=IP. If Mallory wants to play ARP games on your local network, to get Alice(2) to talk with Mallory(2) when she really means to talk with Bob(2), Mallory's ultimate plan is still for Alice(3) to talk with Mallory(3). Using IPsec AH all over this network will prevent Mallory(3) from successfully sending IP packets with a source address other than Mallory(3)'s. (Specifically, the packet will be dropped by the recipient.) If this isn't enough, using IPsec ESP all over this network will prevent Mallory(3) from understanding any IP packets not truly bound for Mallory(3). Now, all that Mallory(2) has done is caused a DoS. Unless you can hardcode per-port MAC addresses into your switch, with exactly one host interface connected to each port, using IPsec like this is a good idea IMHO. Of course, there are all kinds of devices, including the common SoHo router, that don't support any kind of IPsec. How to prevent Mallory from masquerading as these is another story. ||| Dominick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.4.21.0011241617180.25280-100000>