J. Oquendo sil at politrix.org
Mon Jan 3 18:45:20 UTC 2005

On 3-jan-05, at 10:55:49, Iljitsch van Beijnum wrote:

> If you can then enforce the port->MAC->IP mappings you're pretty much
> bullet proof. I know there are switches that can handle the port->MAC
> part. An alternative for the MAC->IP part would be the TCP MD5 option or
> IPsec.

And what if an attacker sends memberships queries with bogus MAC addresses
to a router via CGMP or IGMP messages to a switch... Would normal
filtering catch this problem (MAC spoofing/exhaustion)  Wouldn't the
switch or router say "WTF?"


x:x:x:x:x:x who has
Router "no one... you do loser"
x:x:x:x:x:x "I am now ... I am the king of the world"
Attacker via CGMP/IGMP --> Membership Query:
"Hello I am x:x:x:x:x:x at I want to join this group"
Router "checks MAC tables scratching its RAM"

OTHER SCENARIOS: http://www.cs.ucsb.edu/~krishna/igmp_dos/

// END //

Maybe I should lay off the caffeine. Aside from your bulletproof
situation, if the case held true, 1) Why haven't many implemented this, my
guess would be ANEL (Apparent Network Engineer Laziness not pronounced
similar to ANAL) 2) why hasn't someone made mention via RFC/Standard/^ETC

J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey

More information about the NANOG mailing list