Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: J. Oquendo
  • Date: Mon Jan 03 13:49:30 2005

On 3-jan-05, at 10:55:49, Iljitsch van Beijnum wrote:

> If you can then enforce the port->MAC->IP mappings you're pretty much
> bullet proof. I know there are switches that can handle the port->MAC
> part. An alternative for the MAC->IP part would be the TCP MD5 option or
> IPsec.

And what if an attacker sends memberships queries with bogus MAC addresses
to a router via CGMP or IGMP messages to a switch... Would normal
filtering catch this problem (MAC spoofing/exhaustion)  Wouldn't the
switch or router say "WTF?"


x:x:x:x:x:x who has
Router "no one... you do loser"
x:x:x:x:x:x "I am now ... I am the king of the world"
Attacker via CGMP/IGMP --> Membership Query:
"Hello I am x:x:x:x:x:x at I want to join this group"
Router "checks MAC tables scratching its RAM"


// END //

Maybe I should lay off the caffeine. Aside from your bulletproof
situation, if the case held true, 1) Why haven't many implemented this, my
guess would be ANEL (Apparent Network Engineer Laziness not pronounced
similar to ANAL) 2) why hasn't someone made mention via RFC/Standard/^ETC

J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D

sil @ politrix . org
sil @ infiltrated . net

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.