[c-nsp] against arp spoofing
Mikael Abrahamsson
swmike at swm.pp.se
Sun May 29 05:00:09 EDT 2005
On Sun, 29 May 2005, Gert Doering wrote:
> To have one IP subnet span multiple VLAN sort of ruins the intended
> effect (layer 3 separation, and automatic anti-spoofing).
No, it doesn't, since you cannot do any layer 2 stuff to do
man-in-the-middle (two different users can use the same MAC address in the
same subnet and it still works), and if you also control which vlan a
certain IP number has to be in, you also control the downstream path (no
ARP spoofing). Combine this with anti-spoofing filter on ingress (we do
this in our ethernet dslams), and you have as far as I have been able to
discern, a foolproof system where there is no way the user can do anything
to his/her neighbours. No tunnels, just pure ethernet and IP.
Extreme Networks does this with their RFC3069 feature which they call
super/subvlan. The bad part is that it has to be statically assigned which
IP adress is in each vlan, but it does provide a lot of security.
I have asked Cisco to implement this in their 3550/3750 line of equipment
but so far to no avail. You can get approximately the same with some of
their DHCP snooping techniques, but we like to do things statically and as
far as I know, it's still not possible. Also, since the 3550/3750 only
supports 1024 simultanious vlans, that's also a limiting factor.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the cisco-nsp
mailing list