From owner-freebsd-hackers  Mon Apr 27 07:46:57 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA25280
          for freebsd-hackers-outgoing; Mon, 27 Apr 1998 07:46:57 -0700 (PDT)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from phoenix.its.rpi.edu (dec@phoenix.its.rpi.edu [128.113.161.45])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA25237
          for <freebsd-hackers@FreeBSD.ORG>; Mon, 27 Apr 1998 07:46:31 -0700 (PDT)
          (envelope-from dec@phoenix.its.rpi.edu)
Received: from localhost (dec@localhost)
	by phoenix.its.rpi.edu (8.8.8/8.8.7) with SMTP id KAA29392;
	Mon, 27 Apr 1998 10:41:46 -0400 (EDT)
	(envelope-from dec@phoenix.its.rpi.edu)
Date: Mon, 27 Apr 1998 10:41:45 -0400 (EDT)
From: "David E. Cross" <dec@phoenix.its.rpi.edu>
To: Alexander Matey <lx@hosix.ntu-kpi.kiev.ua>
cc: Eivind Eklund <eivind@yes.no>, Julian Elisher <julian@whistle.com>,
        freebsd-hackers@FreeBSD.ORG
Subject: Re: Static ARP (IFF_NOARP usage in ethernet interfaces)
In-Reply-To: <19980427150520.39431@hosix.ntu-kpi.kiev.ua>
Message-ID: <Pine.BSF.3.96.980427103932.27742A-100000@phoenix.its.rpi.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, 27 Apr 1998, Alexander Matey wrote:

> On Sun, Apr 26, 1998 at 11:56:10PM +0200, Eivind Eklund wrote:
> > > I see no technical reason against this but
> > > I'm curious why one would want to do this.. I can't imagine 
> > > a single reason for not wanting to do arp..
> > 
> > Security.  You want to be able to force a particular MAC address to
> > match a particular IP address, so people can't come with a different
> > computer and take over the IP address of a known computer.
> 
>   Yes, security. I my situation it stands for about 50 computers on 4 
> ethernet subnets, some of them do have internet access while the others 
> don't.
> 

That does not seem like much of an obstacle to overcome, on most ethernet
cards you can over-ride the MAC address of the card.  All you need to do
is DOS the other machine into obblivion, change your MAC, ifconfig for his
IP address, and do a broadcast ping to reset any switches that may be in
the network.. (you are still hosed if you have a hub with security though)

--
David Cross


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message