Re: spoofing the ethernet address

[jnduncan () CISCO COM (Jim Duncan)]

Ben Grubin writes:
> Trivial, actually.  Most cards allow programmable MAC addressing, so
> changing them around is usually easy.  Of course, since the source MAC is
> only visible on the directly attached segment, this is only useful if you
> are doing "bad things" on the segment your machine physically resides on.
> Once you hit a routing device, it's IP only.

_All_ cards allow it, or things like DECnet break horribly.  That's why DEC
networking gear had port security functions that always allowed _two_ MAC
addresses to be defined per port, just in case DECnet was in use.  The host
would possibly come up first with its "real" MAC address, and then promptly
switch to a DECnet MAC address once the DECnet stack was loaded.

For those that don't know, DECnet addresses are encoded in the MAC address.

> Since the MAC address is programmable, and typically not tracked, it can't
> be used as a reliable forensic data source.

Tools like arpwatch and arpsnmp that have been around for years can track
the use of MAC addresses reasonably reliably, and MAC addresses _can_ be
used as forensic evidence as long as the reliability is addressed
truthfully.  Your mileage may vary, and I'm not a lawyer.

The important point here that the poster has emphasized is that (1)
contrary to popular belief, MAC addresses are not "carved in stone" and can
be changed at the whim of the user.  Therefore, (2) unless proper steps are
taken, the veracity of MAC address logging is questionable at best.

        Jim


--
Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc.
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
E-mail: <jnduncan () cisco com>  Phone(Direct/FAX): +1 919 392 6209