On Mon, Nov 29, 2004 at 03:29:42PM +0100, Jörg Harmuth wrote: > I sent a crafted arp reply to a linux box with the meaning > "Hey, localhost is at <some_spoofed_mac_address>". Looking in the arp > cache on this box, > I saw that this spoofed mac address was accepted as the boxes new > mac-address for > localhost on eth1. This means to me: This is a bit vague -- what did You actually typed in and what did You actually get? Use the script(1) command if necessary. Anyway, the 127.0.0.0/8 (i.e. the local loopback) is routed locally by default, i.e. the packets will never get to checking the eth0's ARP table. Let's see it in action: | % ip route list table local | grep ^local local 10.0.0.12 dev ind1 proto kernel scope host src 10.0.0.12 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 Here, the IPs 127.0.0.0, 127.0.0.1, ..., 127.255.255.255, and 10.0.0.12 will be routed locally (you can see this in action when you attach another machine, and ping <your eth0 IP address> (10.0.0.12 here), running tcpdump on the other machine. As you would see, the packets will never touch the wire. This gets interesting when you assign the IP address of the other machine of a point-to-point interface, and You just can't resolve why the h*** the other machine isn't seeing anything... 8-) > 1.) There are no checks about arp packages. > 2.) Nobody keeps track of the balance between arp requests and replies > (why accepting a reply without having sent a request before ?). Unsolicited update of your neighbors' ARP cache. Good whenever you might want to change MACs quickly (failover comes to mind). > 3.) All the usual arp attacks are possible. The ARP protocol is *inherently* insecure, and rightly so. If you want to harden your network, use static ARP tables on the switches. The authenticity is really a business of the presentation layer in the OSI model, which in the TCP/IP protocol suite is provided by IPSec. You can use SSL and SSH if you want something right here right now without the need to RTFM too much. > Ok, this is an old box with kernel 2.4.19 (and isn't used for production). As ARP is handled by the kernel, this might as well be the answer to your questions... HTH, -- )^o-o^| Jan Minář | .v K e-mail : <jjminar@fastmail.fm> ` - .' jabber : <rdancer@njs.netlab.cz> \ __/ phone : +44(0)7981738696 __|o|__ icq : 345355493
Attachment:
pgp8oYDuXlQ7S.pgp
Description: PGP signature