I don't know if it's impossibe, but isn't sniffing traffic on a switched network more difficult?
-jon ----- Original Message ----- From: "Tony Meman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, December 07, 2002 3:29 PM Subject: Re: Preventing DHCP from allocating IPs > Someone could just sniff the traffic, collect some valid MAC addresses > and use one of > them when some box is down. MAC spoofing is trivial. > > Regards, > > -- > none > > Hasnain Atique wrote: > > >My solution was somewhat more elaborate. > > > >I'd separated the network into sections, each connecting to a "backbone" of > >sorts. Each segment is physically separate with a Linux > >router/gateway/firewall linking the section to the backbone. Each Linux box > >knows which MAC addresses are valid within its segment and only allows that > >through to the backbone. DHCP within each segment allocates IP addresses to > >known MACs only. > > > >Net result is that, unknown MAC addresses firstly don't get a DHCP > >allocation, and secondly can't make it outside of the local segment. Even if > >a smart user were to pick and choose an unused IP and used the right gateway > >address, because of MAC filtering they will be limited to the local segment. > > > >The downside is that every single MAC address has to be known before putting > >this in place (it's easily done with arpwatch), and there will be multiple > >gateways to maintain. But depending on your level of paranoia you'll > >probably like it. > > > >Finally, I certainly wouldn't want to automate the process of learning MAC > >addresses and updating DHCP allocation accordingly. Defeats the entire > >purpose!! > > > > > >
