Re: Visitor based netoworking

To: debian-isp@lists.debian.org
Subject: Re: Visitor based netoworking
From: Keegan Quinn <kquinn@respond2.com>
Date: Wed, 11 Jun 2003 10:40:33 -0700
Message-id: <[🔎] 200306111040.33639.kquinn@respond2.com>
In-reply-to: <[🔎] 3EE71857.32706.9EA0C2C@localhost>
References: <[🔎] 3EE63734.18886.67A9AC5@localhost> <[🔎] 3EE71857.32706.9EA0C2C@localhost>

On Wednesday 11 June 2003 02:53 am, Stefan Neufeind wrote:
> I took a look at nocat and it really seems to do almost the things
> I'm looking for *g* Thank you.
>
> But I have a recommendation / question: Wouldn't it be possible to
> also check the MAC of clients on the net? This way we could make IP-
> hijacking (as written in the nocat-whitepaper) a lot harder I think.
>
> Unfortunately I don't know if this is possible with something like
> iptables - since mac-addresses work on a different (lower) layer.

Sure.  The problem is that NoCat is designed for wireless networks, and you 
cannot trust MAC addresses from them - they are too easily spoofed.  I think 
wired networks may suffer from the same issue, but have not verified this.  
FWIW, NoCatAuth already -does- match MAC addresses with IP addresses, unless 
you disable it.

If you really need control down to the individual port, just get a box with a 
very large number of network interfaces, instead of a switch, and hack 
NoCatAuth to operate based on physical interface instead of addressing.

 - Keegan

Reply to:

Follow-Ups:
- Re: Visitor based netoworking
  - From: "Alex (LEX) Borges" <alex@sogrp.com>

References:
- Re: Visitor based netoworking
  - From: "Stefan Neufeind" <stefan@neufeind.net>
- Re: Visitor based netoworking
  - From: "Stefan Neufeind" <stefan@neufeind.net>

Prev by Date: Re: [despammed] Re: Visitor based netoworking
Next by Date: Re: loadbalancing
Previous by thread: Re: [despammed] Re: Visitor based netoworking
Next by thread: Re: Visitor based netoworking
Index(es):
- Date
- Thread