nanog mailing list archives
Re: {SPAM?} Re: IPv6 Deployment for the LAN
From: "David W. Hankins" <David_Hankins () isc org>
Date: Fri, 23 Oct 2009 14:11:37 -0700
On Fri, Oct 23, 2009 at 12:50:47PM +1300, Perry Lorier wrote:
I've implemented myself a system which firewalled all ARP within the AP and queried the DHCP server asking for the correct MAC for that lease then sent the ARP back (as well as firewalling DHCP servers and the like). It's quite easily doable, and quite reliable. If nodes were to send packets directly when associated to an AP then the 802.11 protocol would fall apart, I've never met an implementation that broke this requirement of the standard.
It had not occurred to me to intercept ARP (or ND) as a transition mechanism, that is pretty clever, but the idea of using DHCPv* leasequery as a way to make IP->MAC resolution both secure and unicast is something I've heard many times. I don't know about my peers, but I would be very interested to see an RFC that describes and examines your results.
You can of course pretend you're the AP and send a packet if you're wanting to be vicious enough.
Yes, of course, that is much simpler. If the attacker can associate with the real wireless network, they can always bridge and provide a rogue AP to insert themselves in the middle. Sometimes in focusing on packet exchanges, we miss the forest for the trees. -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins
Attachment:
_bin
Description:
Current thread:
- Re: {SPAM?} Re: IPv6 Deployment for the LAN, (continued)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Leo Bicknell (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Leo Bicknell (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Chuck Anderson (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Ray Soucy (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN John Payne (Oct 22)
- Re: IPv6 Deployment for the LAN Dan White (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN David W. Hankins (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Perry Lorier (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN David W. Hankins (Oct 23)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Joel Jaeggli (Oct 24)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Karl Auer (Oct 24)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Mark Smith (Oct 25)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Scott Morris (Oct 25)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Matthew Petach (Oct 26)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN TJ (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Owen DeLong (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Joe Maimon (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN TJ (Oct 22)
- Re: {SPAM?} Re: IPv6 Deployment for the LAN Owen DeLong (Oct 22)