From owner-freebsd-security@FreeBSD.ORG Mon Apr 5 02:59:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEBE816A4CE; Mon, 5 Apr 2004 02:59:49 -0700 (PDT) Received: from nildram.net (vmailw2k45b.trinitevisp.co.uk [195.38.80.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E85D43D6E; Mon, 5 Apr 2004 02:59:48 -0700 (PDT) (envelope-from dan.ros@nildram.net) Received: from exchange1.office.nildram.net [195.149.27.210] by VMAILW2K45B.trinitevisp.co.uk with ESMTP; Mon, 5 Apr 2004 10:59:41 Received: by exchange1.office.nildram.net with Internet Mail Service (5.5.2653.19) id ; Mon, 5 Apr 2004 10:59:40 +0100 Message-ID: From: Dan Ros To: 'Adrian Penisoara' , "'freebsd-security@freebsd.org'" Date: Mon, 5 Apr 2004 10:59:40 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain X-Mailman-Approved-At: Tue, 06 Apr 2004 04:26:39 -0700 cc: "'freebsd-isp@freebsd.org'" Subject: RE: Controlling access at the Ethernet level X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 09:59:49 -0000 > -----Original Message----- > From: Adrian Penisoara [mailto:ady@freebsd.ady.ro] > Sent: 04 April 2004 19:23 > To: freebsd-security@freebsd.org > Cc: freebsd-isp@freebsd.org > Subject: Q: Controlling access at the Ethernet level > > > We are facing service theft through impersonation, either > solely IP > or both IP and Ethernet MAC address. Securing IP access was solved > using a static ARP scheme (we used "staticarp" for the > internal gateway > interface and tied to it a fixed list of IP/MAC tuples), but some of > the clients learnt how to change both the IP and the MAC. ... This sounds like a university residential halls network, am I right? For what it's worth, the university I attend has tried both DHCP by mac address, static arp and so on. Eventually now they have given up and the cost of the network connection is simply included in the rent for the room. That way they do not have to worry about unauthorised access.