ARP Spoofing

ARP Spoofing

[Topher Fischer]

[-- Attachment #1: Type: text/plain, Size: 314 bytes --]

Does the kernel have any protection against ARP spoofing?  If not, does
anybody know why not? (As in, nobody has done anything, or because of A,
B, and C).

Thanks,

-- 
Topher Fischer
GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19  EFF5 2FC3 BE99 D123 6674
javert42@cs.byu.edu | http://www.thetopher.com


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 251 bytes --]

Re: ARP Spoofing

[Vlad Yasevich]

Topher Fischer wrote:
> Does the kernel have any protection against ARP spoofing?  If not, does
> anybody know why not? (As in, nobody has done anything, or because of A,
> B, and C).
> 
> Thanks,
> 

If by arp spoofing you mean receiving arp replies from multiple sources and
trusting all of them, then I haven't seen anything.  I speaking from
experience as having been bitten by this in earlier kernels (2.6.15 and 2.6.17),
it's a pita to diagnose in a large environment.

I don't know the history as to why nothing has has been done.

-vlad

Re: ARP Spoofing

[Chris Friesen]

Vlad Yasevich wrote:

> If by arp spoofing you mean receiving arp replies from multiple sources and
> trusting all of them, then I haven't seen anything.
> 
> I don't know the history as to why nothing has has been done.

This concept is a valuable tool to allow for fast publishing of IP 
address takeover in redundant-server situations.

There are ways in which it can be misused, but that doesn't make it an 
invalid technique.

Chris

Re: ARP Spoofing

[Vlad Yasevich]

Chris Friesen wrote:
> Vlad Yasevich wrote:
> 
>> If by arp spoofing you mean receiving arp replies from multiple
>> sources and
>> trusting all of them, then I haven't seen anything.
>>
>> I don't know the history as to why nothing has has been done.
> 
> This concept is a valuable tool to allow for fast publishing of IP
> address takeover in redundant-server situations.
> 
> There are ways in which it can be misused, but that doesn't make it an
> invalid technique.
> 

Yes, but when some bozo on the network misconfigures his system and
steals the IP of the default router, all hell breaks lose.

BSD is nice enough to tell you that a duplicate ARP response has been
received and gives you nobs to be able to turn this on and off.

BTW, the same issue came in IPv6, where a malicious user can cause
all sorts of nasty things on the network and the solution for that was SEND
(RFC 3971).  So at least the same problem can be solved in IPv6.

-vlad

Re: ARP Spoofing

[Topher Fischer]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Friesen wrote:
> Vlad Yasevich wrote:
> 
>> If by arp spoofing you mean receiving arp replies from multiple
>> sources and
>> trusting all of them, then I haven't seen anything.
>>
>> I don't know the history as to why nothing has has been done.
> 
> This concept is a valuable tool to allow for fast publishing of IP
> address takeover in redundant-server situations.
> 
> There are ways in which it can be misused, but that doesn't make it an
> invalid technique.

I don't think it would be too difficult to preserve this kind of
functionality while improving security.  Is this really the only reason
why nothing has been done to protect machines from ARP spoofing?


- --
Topher Fischer
GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19  EFF5 2FC3 BE99 D123 6674
javert42@cs.byu.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGOSKBL8O+mdEjZnQRAowZAJoCawbK1IM+TxBvAaNGtzdw5UrDmgCdGB5L
1mJdu4W61Opj+zqgtQJfdp8=
=qlBs
-----END PGP SIGNATURE-----

Re: ARP Spoofing

[Stephen Hemminger]

On Wed, 02 May 2007 17:45:05 -0600
Topher Fischer <javert42@cs.byu.edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Chris Friesen wrote:
> > Vlad Yasevich wrote:
> > 
> >> If by arp spoofing you mean receiving arp replies from multiple
> >> sources and
> >> trusting all of them, then I haven't seen anything.
> >>
> >> I don't know the history as to why nothing has has been done.
> > 
> > This concept is a valuable tool to allow for fast publishing of IP
> > address takeover in redundant-server situations.
> > 
> > There are ways in which it can be misused, but that doesn't make it an
> > invalid technique.
> 
> I don't think it would be too difficult to preserve this kind of
> functionality while improving security.  Is this really the only reason
> why nothing has been done to protect machines from ARP spoofing?
> 

Surely, you can do what you want with netfilter/arptables.

-- 
Stephen Hemminger <shemminger@linux-foundation.org>