David W. Hankins wrote:
On Thu, Oct 22, 2009 at 03:57:40PM -0400, Ray Soucy wrote:
Really. How do we deal with rouge DHCP on the wireless LAN, obviously this is such a complex issue that we couldn't possibly have a solution that could be applied to RA.
There are some wireless equipment that claim to have a setting that forces all packets through the wireless bridge (where all traffic is between clients and bridge, and never client to client), and so one can filter DHCPv6 and maybe RA, but I am kind of skeptical about how much of this is elective and dependent upon client implementation...
When you're associated to an AP, you're in a "managed" wireless network, where all traffic *must* go through the AP. I've implemented myself a system which firewalled all ARP within the AP and queried the DHCP server asking for the correct MAC for that lease then sent the ARP back (as well as firewalling DHCP servers and the like). It's quite easily doable, and quite reliable. If nodes were to send packets directly when associated to an AP then the 802.11 protocol would fall apart, I've never met an implementation that broke this requirement of the standard.
In both cases there may still be some wireless adapters that receive bogus packets directly from attackers.
You can of course pretend you're the AP and send a packet if you're wanting to be vicious enough.