[1899] in linux-security and linux-alert archive
[linux-security] Re: Ethernet card addr <-> IP
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Fri Jun 19 02:00:16 1998
To: glynn@sensei.co.uk (Glynn Clements)
Date: Fri, 19 Jun 1998 07:21:42 +0200 (MET DST)
Cc: R.E.Wolff@BitWizard.nl, richard@kokoro.com, linux-security@redhat.com
In-Reply-To: <13703.52436.35697.208015@cerise.sensei.co.uk> from "Glynn Clements" at Jun 17, 98 03:04:04 pm
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
Glynn Clements wrote:
>
>
> Rogier Wolff wrote:
>
> > > Someone I'm working with has a requirement to map ethernet card addresses
> > > to unique IP addresses, and then have a Linux IP masquerade server know of
> > > this mapping list and not allow any data to pass from any ethernet card
> > > that a) it doesn't know about, or b) isn't assigned the right IP. Ideally
> > > it would also log this condition.
> >
> > Ifconfig your ethernet with the noarp option. Add static (but not
> > public) arp entries for your hosts. Bingo!
>
> That will stop people from hijacking packets using ARP spoofing, but I
> think that the original question was about doing it the other way
> around, i.e. ensuring that the *source* MAC address matches the
> *source* IP address. Can this be done?
My guess is "not by default".
My hack above also doesn't work: this would disallow the server
answering the arps from the client. I would have thought that a
published arp would still get published, but I checked the source: no.
If you would want to do this, you would alas still have to hack a
little at the source. The neatest option would be to split the NO_ARP
option in "don't send arp requests" and "don't answer arp requests".
Let me reiterate: system admins fear most the attack that they
themselves know how to perform. I see groups of sysops afraid for IP
spoofing (these disallow "trusted hosts"). I see others afraid for
packet loggers (these disallow "rsh" & friends).
If you make the server not arp for the clients, but instead use a
static table, you make it one step harder for an attacker to put in a
linux floppy and spoof a trusted host. (If you just use my hack above,
you'll need to turn the interface promisc for it to work).
If you complete the whole thing to check source ethernet addresses as
well, you will require an attacker to add two lines to an ethernet
driver before spoofing your server. (I know how to do THAT, so I'm
not impressed by protection methods relying on this not being done).
Roger.
>
> --
> Glynn Clements <glynn@sensei.co.uk>
>
--
Actor asks a collegue: "To what do you owe your success in acting?"
Answer: "Honesty. Once you've learned how to fake that, you've got it made."
-------- Custom Linux device drivers for sale! Call for a quote. ----------
Email: R.E.Wolff@BitWizard.nl || Tel: +31-15-2137555 || FAX: +31-15-2138217
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null