Re: ARP silliness w/ Cisco 675

[mikael.olsson () ENTERNET SE (Mikael Olsson)]

There is no real good way of defending against ARP
spoofing.

The ARP RFC states that when a host receives an ARP
query for itself, it should enter the sender's
address tuple into its ARP table so as to refrain
from having to query for information that it has
already, in effect, received.

This means that most (all?) systems may be ARP-spoofed
by sending spoofed queries to them instead of
spoofed answers - the effect will be the same.
This way, you don't have to worry about race
conditions.

One way around this would be to NOT enter
the sender's address tuple into the ARP table, but
rather query for it every time and that way atleast
get the race condition "protection" (duh).

As noted earlier, you can at least get a warning
message when an IP changes MAC address, which may
grant you some protection. This however requires
that the entries never time out, otherwise there's
nothing to compare to.

It would seem to me that the only defense is
to add static entries for every host ON every
host (yuck).

Some quick ideas that probably won't work, but
could be used as a starting point of discussion?:

1. Add a central system having a master list
of MAC/IP tuples, which sends responses signed
by an asymmetric cipher function. (Certificate)
This could be a function in your router/firewall.
This would require all hosts on the net to know
the public key of the master system before they
can communicate at all.

2. Stop sending to single addresses; start broadcasting
everything instead. Yeah I know, sucky solution, it
breaks switches. Don't tell me that "everyone will
be able to snoop traffic" however, they can already
do that.

3. When you receive a changed MAC address, query
for the IP again and see what responses you receive
in, say, 1 second. If any of the responses match
what you already know, don't change your entry.
This assumes that you already had the entry, of course,
and that the entry you DO have is not that of an
attacker, in which case you'd only be aiding the
attacker.

*sigh*

IMHO, you can't achieve perfect security
over an ethernet LAN, the only way to increase
security is to compartmentalize the network,
utilizing at least a router, or perhaps a multi-NIC
firewall.

I'd say that the best you can do for a LAN is to
log changes of MAC addresses and try to track down
intruders and pursuade them to cease and desist,
utilizing your favourite aluminum bat. *g*

Regards,
/Mikael Olsson