From owner-freebsd-security  Tue Jul 29 12:43:50 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id MAA08379
          for security-outgoing; Tue, 29 Jul 1997 12:43:50 -0700 (PDT)
Received: from chaos.amber.org (root@chaos.amber.org [205.231.232.12])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA08366
          for <security@FreeBSD.ORG>; Tue, 29 Jul 1997 12:43:43 -0700 (PDT)
Received: from chaos.amber.org (petrilli@chaos.amber.org [205.231.232.12]) by chaos.amber.org (8.7.5/8.6.12) with SMTP id PAA23807; Tue, 29 Jul 1997 15:43:23 -0400 (EDT)
Date: Tue, 29 Jul 1997 15:43:21 -0400 (EDT)
From: Christopher Petrilli <petrilli@amber.org>
To: Poul-Henning Kamp <phk@dk.tfs.com>
cc: Warner Losh <imp@village.org>, Robert Watson <robert@cyrus.watson.org>,
        security@FreeBSD.ORG
Subject: Re: Detecting sniffers (was: Re: security hole in FreeBSD) 
In-Reply-To: <284.870203173@critter.dk.tfs.com>
Message-ID: <Pine.BSF.3.95q.970729154145.22895F-100000@chaos.amber.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> >I will note that there are a few people (ODS and Bay Networks included)
> >who make what is called "secure Ethernet", which basically learns what MAC
> >address is on each port, and scrambles frames that are not destined for
> >that MAC.  What usually happens is it replkaces the data paylode with
> >alternating 0/1, and fixes the checksum.  It works just fine :-)  It's
> >also generally cheaper than a switch.
> 
> Except that most of them are easy to spoof:  Set up your sniffer to 
> output 10 packets with different "from" MAC and it figures "hey port

well, it does only allow a MAC to appear once, so you would realise this
quite quickly.  But a switch is the same as well, unless you've hard
coaded VLAN type information based on MAC addresses into the
switch---which is unmaintainable.

Christopher