[c-nsp] against arp spoofing
Gert Doering
gert at greenie.muc.de
Sun May 29 06:16:45 EDT 2005
Hi,
On Sun, May 29, 2005 at 11:00:09AM +0200, Mikael Abrahamsson wrote:
> On Sun, 29 May 2005, Gert Doering wrote:
>
> > To have one IP subnet span multiple VLAN sort of ruins the intended
> > effect (layer 3 separation, and automatic anti-spoofing).
>
> No, it doesn't, since you cannot do any layer 2 stuff to do
> man-in-the-middle (two different users can use the same MAC address in the
> same subnet and it still works),
I'm not sure if I believe that. If you share a subnet, at least the
router port would see the double MAC address, and then the packet
forwarding will get "interesting". Most likely you cannot do MITM, but
you will be able to spoof-and-disrupt, which is nearly as bad.
[..]
> I have asked Cisco to implement this in their 3550/3750 line of equipment
> but so far to no avail. You can get approximately the same with some of
> their DHCP snooping techniques, but we like to do things statically and as
> far as I know, it's still not possible. Also, since the 3550/3750 only
> supports 1024 simultanious vlans, that's also a limiting factor.
ip source-guard can do something similar (with statically configured
mac-to-ip mappings).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list