Someone could just sniff the traffic, collect some valid MAC addresses
and use one of
them when some box is down. MAC spoofing is trivial.
Regards,
--
none
Hasnain Atique wrote:
>My solution was somewhat more elaborate.
>
>I'd separated the network into sections, each connecting to a "backbone" of
>sorts. Each segment is physically separate with a Linux
>router/gateway/firewall linking the section to the backbone. Each Linux box
>knows which MAC addresses are valid within its segment and only allows that
>through to the backbone. DHCP within each segment allocates IP addresses to
>known MACs only.
>
>Net result is that, unknown MAC addresses firstly don't get a DHCP
>allocation, and secondly can't make it outside of the local segment. Even if
>a smart user were to pick and choose an unused IP and used the right gateway
>address, because of MAC filtering they will be limited to the local segment.
>
>The downside is that every single MAC address has to be known before putting
>this in place (it's easily done with arpwatch), and there will be multiple
>gateways to maintain. But depending on your level of paranoia you'll
>probably like it.
>
>Finally, I certainly wouldn't want to automate the process of learning MAC
>addresses and updating DHCP allocation accordingly. Defeats the entire
>purpose!!
>
>
Received on Dec 09 2002
Intro
