Re: ARP silliness w/ Cisco 675

[tschroed () ACM ORG (Trevor Schroeder)]

On Tue, 28 Sep 1999, Mikael Olsson wrote:

> The ARP RFC states that when a host receives an ARP
> query for itself, it should enter the sender's
> address tuple into its ARP table so as to refrain
> from having to query for information that it has
> already, in effect, received.

Just because the RFC states it, does not make it gospel.  As much as I am
in favor of RFC compliant behaviour, sometimes it's necessary to bend them
as circumstances change.  Not accepting ARPs any time from any body might
be an acceptable change.  It's not something that breaks the operation of
the protocol.

> One way around this would be to NOT enter
> the sender's address tuple into the ARP table, but
> rather query for it every time and that way atleast
> get the race condition "protection" (duh).

That's icky.  As I mentioned in a previous post, Linux does something
that's interesting.  While it's certainly not foolproof, it seems to be
better than nothing.

> 1. Add a central system having a master list
> of MAC/IP tuples, which sends responses signed

This is a really Bad Idea [tm].  You should consider long and hard before
you resort to a central coordinator (and point of failure).  That's the
whole point behind having a distributed algorithm such as ARP.

Besides, how are we going to know the ARP server's MAC address?

> by an asymmetric cipher function. (Certificate)

Now this is the correct approach but in the wrong context.  The proper
solution is IPsec's authentication headers.  Let layer 2 play games if you
want, but your attacker is going to have a hard time getting the AH right.

> 2. Stop sending to single addresses; start broadcasting
> everything instead. Yeah I know, sucky solution, it

Also a terrible idea.  In a shared media environment, you will absolutely
swamp your machines.  (If you have a saturated Fast Ethernet segment,
everyone on that segment is processing 100Mbps of traffic.  ick)

In a switched environment it is even worse as it effectively turns your
switch into a hub.  And hey, who needs to sniff now that the whole net is
broadcast?

> breaks switches. Don't tell me that "everyone will
> be able to snoop traffic" however, they can already
> do that.

*smirk*  Oops.  Anyhow, I don't know anyone who would be pleased to find
their 7GBps switch fabric can effectively only push 100Mbps.

> 3. When you receive a changed MAC address, query
> for the IP again and see what responses you receive
> in, say, 1 second. If any of the responses match

This is sort of what Linux does.  Not strictly RFC compliant, but close
enough for government work.  (actually it checks the old MAC to see if it
still claims the IP address being queried)
..........................................................................
: "I knew it was going to cost me my head and also my swivel chair, but  :
: I thought: What the hell--better men than I have risked their heads    :
: and their swivel chairs for truth and justice." -- James P. Cannon     :
:........... http://www.zweknu.org/ for PGP key and more ................: