[f-nsp] mac address forging !

iVAN G mraptor at gmail.com
Fri Nov 26 17:58:02 EST 2004 

Yes I thought about this, but this only protect for authenticating the
correct user once it is
auth the user can modify the IP address with whatever it wants i.e
forge the address.
i.e. it will be able to present himself like different user.
How do u protect from this ?
The only thing I can come up till now is usage of some weird way of
VLANID i.e. set different
VLANID on every port on every noname-switch then I had to have some way to
set IP address via DHCP based on the VLANID.and similar ...along these lines....

I'm wondering how do u ppl do these things. is there some hidden
feature.:") i dont know of.

The thing needed is a way to securely give the user specific IP
address/es via DHCP with
ability to forbid user access if it forges MAC and/or IP address when
u are at mixed
envoirment i.e not only Foundry switches.

sorry if I'm asking too much..


PS. On the CATV I use the following technique.
The DHCP server gives the user IP based on the cable modem MAC address.
The advantages are :
  - modem MAC addresses are almost imposiblle to be forged, even if they
    succeed with some older modems there is other means of blocking them :")
  - I dont have to remember/store users ethernet card MAC addresses
    i.e. they can change it at any time they want w/o botering me, but
    they still get the correct IP. 
  - And if they try to change their IP address their access is blocked 
     on the cable modem.
  - based on their unforged IP i give them the correct services

In my case possibly if foundry switches can change dhcp option-82 on the fly
to include vlanid, ingress-foundry-port, foundry-switch-MAC :") !!! then ...


On Fri, 26 Nov 2004 21:33:28 +0100, Niels Bakker
<niels=foundry-nsp at bakker.net> wrote:
> * mraptor at gmail.com (iVAN G) [Fri 26 Nov 2004, 15:36 CET]:
> > I'm just reading the docs of the FastIron and saw there is
> > MAC based Radius auth. So far so good, but how did u protect from MAC
> > address forging ? If u have the following situation :
> >
> > FastIron <---> noname-switch <----> user
> 
> You don't.  You could use port security to keep MACs locked to one
> particular port but that doesn't protect users on the noname switch.
> 
> 
> > In fact I want to achieve a secure way to assign IP address
> > to the users and block any attempt from them to forge IP and/or MAC address.
> 
> use 802.1X
> 
>         -- Niels.
> 
> --
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

More information about the foundry-nsp mailing list