On 3-jan-05, at 10:55:49, Iljitsch van Beijnum wrote:

If you can then enforce the port->MAC->IP mappings you're pretty much bullet proof. I know there are switches that can handle the port->MAC part. An alternative for the MAC->IP part would be the TCP MD5 option or IPsec.

And what if an attacker sends memberships queries with bogus MAC addresses to a router via CGMP or IGMP messages to a switch... Would normal filtering catch this problem (MAC spoofing/exhaustion) Wouldn't the switch or router say "WTF?" // EXAMPLE // x:x:x:x:x:x who has 10.10.1.2 Router "no one... you do loser" x:x:x:x:x:x "I am now 10.10.1.2 ... I am the king of the world" Attacker via CGMP/IGMP --> Membership Query: "Hello I am x:x:x:x:x:x at 10.10.2.2 I want to join this group" Router "checks MAC tables scratching its RAM" OTHER SCENARIOS: http://www.cs.ucsb.edu/~krishna/igmp_dos/ // END // Maybe I should lay off the caffeine. Aside from your bulletproof situation, if the case held true, 1) Why haven't many implemented this, my guess would be ANEL (Apparent Network Engineer Laziness not pronounced similar to ANAL) 2) why hasn't someone made mention via RFC/Standard/^ETC ... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey