{SPAM?} Re: IPv6 Deployment for the LAN

[David_Hankins at isc.org (David W. Hankins)]

On Fri, Oct 23, 2009 at 12:50:47PM +1300, Perry Lorier wrote:
> I've implemented myself a system which firewalled all ARP within the AP and 
> queried the DHCP server asking for the correct MAC for that lease then sent 
> the ARP back (as well as firewalling DHCP servers and the like).  It's 
> quite easily doable, and quite reliable.  If nodes were to send packets 
> directly when associated to an AP then the 802.11 protocol would fall 
> apart, I've never met an implementation that broke this requirement of the 
> standard.

It had not occurred to me to intercept ARP (or ND) as a transition
mechanism, that is pretty clever, but the idea of using DHCPv*
leasequery as a way to make IP->MAC resolution both secure and unicast
is something I've heard many times.

I don't know about my peers, but I would be very interested to see an
RFC that describes and examines your results.

> You can of course pretend you're the AP and send a packet if you're wanting 
> to be vicious enough.

Yes, of course, that is much simpler.  If the attacker can associate
with the real wireless network, they can always bridge and provide a
rogue AP to insert themselves in the middle.

Sometimes in focusing on packet exchanges, we miss the forest for the
trees.

-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20091023/7bb99442/attachment.bin>