On Tue, 2004-11-23 at 02:36, David Woodhouse wrote:
I've just had a great idea. IP spoofing can be a big problem -- it can
be used to poison DNS caches and hijack TCP sessions, and to cause a
denial of service attack.
We can use the same technique as SPF to address this forgery, though. I
can publish a record which says the MAC address of my Ethernet card or
the phone number I dial from (or whatever's appropriate to my
connection).
Works for local networks, but once the routers get involved.... It's
even worse than a chain of ten forwarding mail servers, it varying
chains of on average eight to thirty-two hops of routers.
So I think you'd be hard pressed to bet IPsec with opportunistic keying,
then you simply sign the packets.
For the local network I always thought it would be neat to keep a list
of MACs that were authorized to be on a network, so that if someone
brought in a laptop I can listen to the arp/rarp/dhcp whatever traffic
and be notified about the intruder quick. I've been in places where we
had less than thirty machines on a segment that didn't get changed that
often -- so the false positives would be rare enough. Tie this stuff
into your firewall, and you can at least keep intruders from reaching
the outside world without your permission.
--
http://dmoz.org/profiles/pollei.html
http://sourceforge.net/users/stephen_pollei/
http://www.orkut.com/Profile.aspx?uid=2455954990164098214
http://stephen_pollei.home.comcast.net/
GPG Key fingerprint = EF6F 1486 EC27 B5E7 E6E1 3C01 910F 6BB5 4A7D 9677
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
signature.asc
Description: This is a digitally signed message part