Re: IPv6, IPSEC and DoS
To prevent ARP or ND spoofing attack you should have L2 switch support to
it! Or you can use static ARP or ND entries, which is rather difficult to
maintain.
Regards,
Janos Mohacsi
Funny you should mention this I thought about this but figure the
following, regardless of VLAN/PVLAN/ settings, switches still need to
build an ARP table so I would think that one can still inject bogus ARP
information but it would likely but delegated to that particular segment
where the MAC's are being spoofed from.
There was an instance last year where I saw a student using some form of
LAN generator for him to be able to spoof a network in order to play some
XBOX game. Packeteers saw multiple MAC addresses coming from the ports in
his room. When we investigated the situation he told us what it was the
program was doing and we advised him to limit it via pseudo threat of
disconnecting his port.
So what happens when an ARP generating programs collides with the address
of your L2 switch or a database. VLAN/PVLAN even static ARP entries won't
help much. At least I don't think there is much that can be done when
someone is determined. I could be wrong I am almost 99.999% of the times.
Even an exhaustion attack could do some major damage.
http://www.infiltrated.net/cisco/vlan-insecurities.html
http://www.infiltrated.net/cisco/vlan-tagging-101.html
http://www.infiltrated.net/cisco/layer2-security.pdf
Aside from this, I've noticed there are quite a few OS' that still have
issues regarding IPv6
//
http://seclists.org/lists/fulldisclosure/2004/Mar/1412.html
III. Impact
It may be possible for a local attacker to read portions of kernel
memory, resulting in disclosure of sensitive information. A local
attacker can cause a system panic.
//
Not to single out this one instance, there was also an issue with OpenBSD,
I'm sure I could find others for Windows, NetBSD as well.
Yes, and that's why you need static MAC forwarding tables too.
If you can then enforce the port->MAC->IP mappings you're pretty much bullet proof. I know there are switches that can handle the port->MAC part. An alternative for the MAC->IP part would be the TCP MD5 option or IPsec.
I guess it's true that everything old is new again:
isn't this effectively circuit-switching? If you're
dedicating network elements to particular hosts in a
non-dynamic manner, doesn't that make your
infrastructure effectively a PBX, where moving
{device} from one room to the next requires a a
technician's assistance?
-David Barak
No, it's packet-switching with a provisioning process reminiscent of the Book of Telco. Static provisioning does not a circuit make.
Joe
Point made - what I was trying to say was that it has
most of the disadvantages of a circuit-switched architecture...
you could go one step further to make it circuit switching and static
route all traffic in both directions to the individual /128's... talk
about FUN!
Not necessarily. Some public networks are moving away from the ask
everyone the question, anyone can answer model. It cuts down on the
chatter, and the spoofing. That doesn't mean you have to go to a static
provisioning model, but it does mean you have to think harder about what
you trust, what asks the questions and what answers the questions. You
can still have a dynamic network, as long as it doesn't learn the wrong
things.
One example is the typical cable modem provider. A DOCSIS modem is
provisioned with a MAC address known to the telco, and effectively creates a
virtual "port" on a huge switch^Whub with the modem's MAC as the port
identifier.
The MAC of the device behind the virtual port is then provisioned using some
sort of interface that detects and stores that MAC address as associated
with the modem. At that point it's easy to automate the process and allow
packets from known MAC addresses through only their associated virtual
ports.