Re: IPv6, IPSEC and DoS
Re: IPv6, IPSEC and DoS On Mon, 3 Jan 2005, Mohacsi Janos wrote:
To prevent ARP or ND spoofing attack you should have L2 switch support to it! Or you can use static ARP or ND entries, which is rather difficult to maintain.
Regards, Janos Mohacsi
Funny you should mention this I thought about this but figure the following, regardless of VLAN/PVLAN/ settings, switches still need to build an ARP table so I would think that one can still inject bogus ARP information but it would likely but delegated to that particular segment where the MAC's are being spoofed from. There was an instance last year where I saw a student using some form of LAN generator for him to be able to spoof a network in order to play some XBOX game. Packeteers saw multiple MAC addresses coming from the ports in his room. When we investigated the situation he told us what it was the program was doing and we advised him to limit it via pseudo threat of disconnecting his port. So what happens when an ARP generating programs collides with the address of your L2 switch or a database. VLAN/PVLAN even static ARP entries won't help much. At least I don't think there is much that can be done when someone is determined. I could be wrong I am almost 99.999% of the times. Even an exhaustion attack could do some major damage. http://www.infiltrated.net/cisco/vlan-insecurities.html http://www.infiltrated.net/cisco/vlan-tagging-101.html http://www.infiltrated.net/cisco/layer2-security.pdf Aside from this, I've noticed there are quite a few OS' that still have issues regarding IPv6 // http://seclists.org/lists/fulldisclosure/2004/Mar/1412.html III. Impact It may be possible for a local attacker to read portions of kernel memory, resulting in disclosure of sensitive information. A local attacker can cause a system panic. // Not to single out this one instance, there was also an issue with OpenBSD, I'm sure I could find others for Windows, NetBSD as well. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
On 3-jan-05, at 16:29, J. Oquendo wrote:
To prevent ARP or ND spoofing attack you should have L2 switch support to it! Or you can use static ARP or ND entries, which is rather difficult to maintain.
Funny you should mention this I thought about this but figure the following, regardless of VLAN/PVLAN/ settings, switches still need to build an ARP table
Yes, and that's why you need static MAC forwarding tables too. If you can then enforce the port->MAC->IP mappings you're pretty much bullet proof. I know there are switches that can handle the port->MAC part. An alternative for the MAC->IP part would be the TCP MD5 option or IPsec.
--- Iljitsch van Beijnum <iljitsch@muada.com> wrote:
If you can then enforce the port->MAC->IP mappings you're pretty much bullet proof. I know there are switches that can handle the port->MAC part. An alternative for the MAC->IP part would be the TCP MD5 option or IPsec.
I guess it's true that everything old is new again: isn't this effectively circuit-switching? If you're dedicating network elements to particular hosts in a non-dynamic manner, doesn't that make your infrastructure effectively a PBX, where moving {device} from one room to the next requires a a technician's assistance? -David Barak ===== David BarakNeed Geek Rock? Try The Franchise. __________________________________ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo
On 3 Jan 2005, at 11:11, David Barak wrote:
I guess it's true that everything old is new again: isn't this effectively circuit-switching?
No, it's packet-switching with a provisioning process reminiscent of the Book of Telco. Static provisioning does not a circuit make. Joe
--- Joe Abley <jabley@isc.org> wrote:
No, it's packet-switching with a provisioning process reminiscent of the Book of Telco. Static provisioning does not a circuit make.
Point made - what I was trying to say was that it has most of the disadvantages of a circuit-switched architecture... ===== David Barak Need Geek Rock? Try The Franchise. __________________________________ Do you Yahoo!? Dress up your holiday email, Hollywood style. Learn more. http://celebrity.mail.yahoo.com
On Mon, 3 Jan 2005, Joe Abley wrote:
On 3 Jan 2005, at 11:11, David Barak wrote:
I guess it's true that everything old is new again: isn't this effectively circuit-switching?
No, it's packet-switching with a provisioning process reminiscent of the Book of Telco. Static provisioning does not a circuit make.
you could go one step further to make it circuit switching and static route all traffic in both directions to the individual /128's... talk about FUN!
On Mon, 3 Jan 2005, David Barak wrote:
I guess it's true that everything old is new again: isn't this effectively circuit-switching? If you're dedicating network elements to particular hosts in a non-dynamic manner, doesn't that make your infrastructure effectively a PBX, where moving {device} from one room to the next requires a a technician's assistance?
Not necessarily. Some public networks are moving away from the ask everyone the question, anyone can answer model. It cuts down on the chatter, and the spoofing. That doesn't mean you have to go to a static provisioning model, but it does mean you have to think harder about what you trust, what asks the questions and what answers the questions. You can still have a dynamic network, as long as it doesn't learn the wrong things.
On Mon, 3 Jan 2005, Sean Donelan wrote:
Not necessarily. Some public networks are moving away from the ask everyone the question, anyone can answer model. It cuts down on the chatter, and the spoofing. That doesn't mean you have to go to a static provisioning model, but it does mean you have to think harder about what you trust, what asks the questions and what answers the questions.
One example is the typical cable modem provider. A DOCSIS modem is provisioned with a MAC address known to the telco, and effectively creates a virtual "port" on a huge switch^Whub with the modem's MAC as the port identifier. The MAC of the device behind the virtual port is then provisioned using some sort of interface that detects and stores that MAC address as associated with the modem. At that point it's easy to automate the process and allow packets from known MAC addresses through only their associated virtual ports. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com>
participants (7)
-
Christopher L. Morrow -
David Barak -
Iljitsch van Beijnum -
J. Oquendo -
Joe Abley -
Sean Donelan -
Todd Vierling