Re: Visitor based netoworking
On Wednesday 11 June 2003 02:53 am, Stefan Neufeind wrote:
> I took a look at nocat and it really seems to do almost the things
> I'm looking for *g* Thank you.
> But I have a recommendation / question: Wouldn't it be possible to
> also check the MAC of clients on the net? This way we could make IP-
> hijacking (as written in the nocat-whitepaper) a lot harder I think.
> Unfortunately I don't know if this is possible with something like
> iptables - since mac-addresses work on a different (lower) layer.
Sure. The problem is that NoCat is designed for wireless networks, and you
cannot trust MAC addresses from them - they are too easily spoofed. I think
wired networks may suffer from the same issue, but have not verified this.
FWIW, NoCatAuth already -does- match MAC addresses with IP addresses, unless
you disable it.
If you really need control down to the individual port, just get a box with a
very large number of network interfaces, instead of a switch, and hack
NoCatAuth to operate based on physical interface instead of addressing.