Vulnerability Development mailing list archives
Re: ARP silliness w/ Cisco 675
From: tschroed () ACM ORG (Trevor Schroeder)
Date: Tue, 28 Sep 1999 12:48:23 -0500
On Tue, 28 Sep 1999, Mikael Olsson wrote:
The ARP RFC states that when a host receives an ARP query for itself, it should enter the sender's address tuple into its ARP table so as to refrain from having to query for information that it has already, in effect, received.
Just because the RFC states it, does not make it gospel. As much as I am in favor of RFC compliant behaviour, sometimes it's necessary to bend them as circumstances change. Not accepting ARPs any time from any body might be an acceptable change. It's not something that breaks the operation of the protocol.
One way around this would be to NOT enter the sender's address tuple into the ARP table, but rather query for it every time and that way atleast get the race condition "protection" (duh).
That's icky. As I mentioned in a previous post, Linux does something that's interesting. While it's certainly not foolproof, it seems to be better than nothing.
1. Add a central system having a master list of MAC/IP tuples, which sends responses signed
This is a really Bad Idea [tm]. You should consider long and hard before you resort to a central coordinator (and point of failure). That's the whole point behind having a distributed algorithm such as ARP. Besides, how are we going to know the ARP server's MAC address?
by an asymmetric cipher function. (Certificate)
Now this is the correct approach but in the wrong context. The proper solution is IPsec's authentication headers. Let layer 2 play games if you want, but your attacker is going to have a hard time getting the AH right.
2. Stop sending to single addresses; start broadcasting everything instead. Yeah I know, sucky solution, it
Also a terrible idea. In a shared media environment, you will absolutely swamp your machines. (If you have a saturated Fast Ethernet segment, everyone on that segment is processing 100Mbps of traffic. ick) In a switched environment it is even worse as it effectively turns your switch into a hub. And hey, who needs to sniff now that the whole net is broadcast?
breaks switches. Don't tell me that "everyone will be able to snoop traffic" however, they can already do that.
*smirk* Oops. Anyhow, I don't know anyone who would be pleased to find their 7GBps switch fabric can effectively only push 100Mbps.
3. When you receive a changed MAC address, query for the IP again and see what responses you receive in, say, 1 second. If any of the responses match
This is sort of what Linux does. Not strictly RFC compliant, but close enough for government work. (actually it checks the old MAC to see if it still claims the IP address being queried) .......................................................................... : "I knew it was going to cost me my head and also my swivel chair, but : : I thought: What the hell--better men than I have risked their heads : : and their swivel chairs for truth and justice." -- James P. Cannon : :........... http://www.zweknu.org/ for PGP key and more ................:
Current thread:
- Re: ARP silliness w/ Cisco 675 Mikael Olsson (Sep 28)
- Re: ARP silliness w/ Cisco 675 Trevor Schroeder (Sep 28)
- Re: ARP silliness w/ Cisco 675 Mikael Olsson (Sep 29)
- Re: ARP silliness w/ Cisco 675 Trevor Schroeder (Sep 29)
- Re: ARP silliness w/ Cisco 675 Mikael Olsson (Sep 29)
- Re: ARP silliness w/ Cisco 675 Trevor Schroeder (Sep 28)
- Re: ARP silliness w/ Cisco 675 Trevor Schroeder (Sep 28)