[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] ARP and its variations
- Subject: Re: [cobalt-security] ARP and its variations
- From: Paul Gillingwater <paul@xxxxxxxxxxx>
- Date: Tue, 14 Aug 2001 16:33:16 +0200 (CEST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Quoting Kevin D <kdlists@xxxxxxxxxxxxxxx>:
> From: "Paul Gillingwater" <paul@xxxxxxxxxxx>
>
> > If the IP address you
> > request is in a different subnet, then the default gateway
> > (usually your router or firewall) will respond with its
> > own MAC address.
>
> I thought that if the IP address you requested was in a different
> subnet,
> your PC/network device would automatically forward that request to the
> default gateway? Otherwise, why would you need to tell your PC/network
> device what your default gateway was?
We're talking at two different levels here, in the OSI 7-layer model.
IP works at Layer 3 -- Ethernet and Token Ring work at Layer 2.
You are correct that if the IP address you request is in a different
subnet, then it will be routed via the default gateway, in which case
your node will do an ARP broadcast for the gateway. It's also possible
to have a Proxy ARP configuration, where the router will itself
respond for devices it "knows" are beyond it.
I agree, most people aren't doing this, and I apologise for including
too much detail which didn't really help to illustrate the point.
Proxy ARPs are mostly used with dial-up devices. There are also
DHCP ARPs (which is used to prevent address duplication), Gratuitous
ARPs (used as a kind of "I'm not dead yet" message) and not to
forget Reverse ARP (used by diskless workstations to find their own
IP address) and the little-used un-ARP (beloved of hackers for
man-in-the-middle attacks) which forces devices to remove their
entries from their local ARP caches.
Note that ARP is not for IP only -- it can also be used with other
protocols. It's not part of IP.
> ARP, I thought, only dealt with mapping IPs to MAC address. It should
> have
> nothing to do with routing to a default gateway, right?
See above -- it certainly can. Let's not even get into the use
of LAyer 3 switching, where the switch will bridge packets
transparently into other segments by responding to an ARP with
its own address.
Back to security -- most of these MITM attacks can only succeed
if the hacker can compromise a device in the path between you
and your target. For your local network, it's helpful to
program your switches to prevent unknown MAC addresses being
able to connect to a port, and on the Cobalt side, run ARPwatch.
*********************************
Paul Gillingwater
Managing Director
CSO Lanifex Unternehmensberatung
& Softwareentwicklung G.m.b.H.
NEW BUSINESS CONCEPTS
E-mail: paul@xxxxxxxxxxx
Teleph: +43/1/2198222
Mobile: +43/699/1922 3085
Webhome: http://www.lanifex.com/
Address: Praterstrasse 60/1/2
A-1020 Vienna, Austria
*********************************