[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Visitor based netoworking

On Wednesday 11 June 2003 02:53 am, Stefan Neufeind wrote:
> I took a look at nocat and it really seems to do almost the things
> I'm looking for *g* Thank you.
> But I have a recommendation / question: Wouldn't it be possible to
> also check the MAC of clients on the net? This way we could make IP-
> hijacking (as written in the nocat-whitepaper) a lot harder I think.
> Unfortunately I don't know if this is possible with something like
> iptables - since mac-addresses work on a different (lower) layer.

Sure.  The problem is that NoCat is designed for wireless networks, and you 
cannot trust MAC addresses from them - they are too easily spoofed.  I think 
wired networks may suffer from the same issue, but have not verified this.  
FWIW, NoCatAuth already -does- match MAC addresses with IP addresses, unless 
you disable it.

If you really need control down to the individual port, just get a box with a 
very large number of network interfaces, instead of a switch, and hack 
NoCatAuth to operate based on physical interface instead of addressing.

 - Keegan

Reply to: