Some very strange network behaviors
Ray Wong
rayw at rayw.net
Thu Sep 11 22:15:41 UTC 2003
> Even if a switch floods all ports, it does not change the fact the packet
> will not have the correct MAC address and his NIC should never pass it
> up the stack. Switches do not rewrite the Ethernet addresses on packets.
Correct, ethernet switches do not. The question is, what were the systems
in question connecting to? Many hotels bought into proprietary broadband
systems, some of which are still in service. Just because there's an
ethernet port in the room says nothing about the hotel's internal net.
Some of them did(do) a very poor job of encapsulating or translating the
ethernet (or even layer 3, some of them were IP-only) at the room, converting
to some other p-t-p method (i.e. atm pvc logic, similar to dsl), and again
converting (badly) back downstairs. It's entirely possible the next IP
speaking box in line does not, in fact, know what the MAC of the client PC
on the end of the line actually is. Room 2037A gets the traffic for room
2037A, regardless of what the router's arp cache or the switch's mac map
actually says. The MAC seen may very well be generated by the concentrating
equipment and not the peecee. Even if the IP is negotiated with the node,
a la pppoe, there's no certainty that the traffic isn't modified in between.
Without speaking to someone "in the know" about the hotel, there's no telling
what actually happened.
All of which misses the issue he suggested, that traffic in any public arena
must be viewed as suspect. Yes, Corporations who rely on an edge firewall
solution and do not standardize on some form of node protection and audit
process are likely exposing themselves to this sort of thing all the time.
Should they fix it? Probably, but few of them are employing me/us, so
there's nothing I or most here can do about it. That's not a technical
problem. :-\
--
Ray Wong
rayw at rayw.net
More information about the NANOG
mailing list