[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] ARP and its variations

Subject: Re: [cobalt-security] ARP and its variations
From: Paul Gillingwater <paul@xxxxxxxxxxx>
Date: Tue, 14 Aug 2001 16:33:16 +0200 (CEST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Quoting Kevin D <kdlists@xxxxxxxxxxxxxxx>:

> From: "Paul Gillingwater" <paul@xxxxxxxxxxx>
> 
> > If the IP address you
> > request is in a different subnet, then the default gateway
> > (usually your router or firewall) will respond with its
> > own MAC address.
> 
> I thought that if the IP address you requested was in a different
> subnet,
> your PC/network device would automatically forward that request to the
> default gateway? Otherwise, why would you need to tell your PC/network
> device what your default gateway was?

We're talking at two different levels here, in the OSI 7-layer model.

IP works at Layer 3 -- Ethernet and Token Ring work at Layer 2.

You are correct that if the IP address you request is in a different
subnet, then it will be routed via the default gateway, in which case
your node will do an ARP broadcast for the gateway.  It's also possible
to have a Proxy ARP configuration, where the router will itself
respond for devices it "knows" are beyond it.

I agree, most people aren't doing this, and I apologise for including
too much detail which didn't really help to illustrate the point.
Proxy ARPs are mostly used with dial-up devices.  There are also 
DHCP ARPs (which is used to prevent address duplication), Gratuitous
ARPs (used as a kind of "I'm not dead yet" message) and not to
forget Reverse ARP (used by diskless workstations to find their own
IP address) and the little-used un-ARP (beloved of hackers for
man-in-the-middle attacks) which forces devices to remove their
entries from their local ARP caches.

Note that ARP is not for IP only -- it can also be used with other
protocols.  It's not part of IP.

> ARP, I thought, only dealt with mapping IPs to MAC address. It should
> have
> nothing to do with routing to a default gateway, right?

See above -- it certainly can.  Let's not even get into the use
of LAyer 3 switching, where the switch will bridge packets 
transparently into other segments by responding to an ARP with
its own address.  

Back to security -- most of these MITM attacks can only succeed
if the hacker can compromise a device in the path between you
and your target.  For your local network, it's helpful to
program your switches to prevent unknown MAC addresses being
able to connect to a port, and on the Cobalt side, run ARPwatch.

*********************************
        Paul Gillingwater
        Managing Director
 CSO Lanifex Unternehmensberatung 
 & Softwareentwicklung G.m.b.H.
      NEW BUSINESS CONCEPTS

E-mail:  paul@xxxxxxxxxxx
Teleph:  +43/1/2198222
Mobile:  +43/699/1922 3085
Webhome: http://www.lanifex.com/
Address: Praterstrasse 60/1/2 
         A-1020 Vienna, Austria
*********************************

References:
- RE: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Curtis Ross
- Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Stuart Robinson
- Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: cronus
- Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Paul Gillingwater
- Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Kevin D

Prev by Date: Re: [cobalt-security] Redhat upgrade???
Next by Date: Re: [cobalt-security] PHP script to notify contacts related to IP initiating Code Red attack
Previous by thread: Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
Next by thread: [cobalt-security] RE: DANGER!! etc.

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index