[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ip theft!!



On Thu, Feb 07, 2002 at 08:45:06PM +0300, ksemat at wawa.eahd.or.ug wrote:
> Can someone give me an idea on how to stop a user from simply assigning
> himself another user's ip address on a LAN or a wireless network?

That is difficult.

Some switches let you nail a port to a particular MAC address, but that
doesn't really help you. Some layer 3 switches let you fix their ARP table
(so that packets destined to one particular IP address always go out of one
particular port).

For a wireless network, the only ideas I have are:

(1) Nail your ARP table at the upstream router. Then if somebody steals
someone else's IP address, it won't help them because packets to that
address will always go to the "right" customer. (If there are packets which
go directly from customer A to customer B across the broadcast medium then
they _will_ be affected, unless you get all of your customers to hard-code
their ARP tables too, but that's probably less of a problem)

You can hard-code unused IP addresses to non-existent MAC addresses (e.g.
00:00:00:00:00:00) to stop people taking spare addresses.

If a customer changes their equipment, then you will need to update your
static ARP table manually of course.

(2) Use tunneling to introduce a layer-3 boundary between all customers. For
example, you could run PPPoE between them and you, so they each have a
separate PPP session with its own assigned IP address and /32 route.

B.

-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org