From owner-freebsd-security  Sat Nov 25 14:13: 2 2000
Delivered-To: freebsd-security@freebsd.org
Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108])
	by hub.freebsd.org (Postfix) with ESMTP id 0784A37B4C5
	for <freebsd-security@FreeBSD.ORG>; Sat, 25 Nov 2000 14:13:00 -0800 (PST)
Received: (from danderse@localhost)
	by faith.cs.utah.edu (8.9.3/8.9.3) id PAA26585;
	Sat, 25 Nov 2000 15:12:56 -0700 (MST)
Message-Id: <200011252212.PAA26585@faith.cs.utah.edu>
Subject: Re: static ARP tables
To: Gerhard.Sittig@gmx.net
Date: Sat, 25 Nov 2000 15:12:56 -0700 (MST)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.NEB.4.21.0011241617180.25280-100000@phalse.2600.com> from "Dominick LaTrappe" at Nov 24, 2000 05:10:22 PM
From: "David G. Andersen" <dga@pobox.com>
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Lo and behold, Dominick LaTrappe once said:
> 
> On Fri, 24 Nov 2000 Gerhard Sittig <Gerhard.Sittig@gmx.net> wrote:
> > You might be interested in the conf/23063 PR with the
> > "[PATCH] for static ARP tables in rc.network" synopsis
> > (http://www.freebsd.org/cgi/query-pr.cgi?pr=23063).
> 
> With software-set MAC addresses supported by a number of cards, this patch
> does not provide much security.

  When used in conjunction with switch-enfored MAC security, it's actually
quite useful.  You yourself state this;  I have a need for exactly this
kind of functionality for Utah's network testbed, actually.

  You have a point, of course;  this shouldn't be plugged as "the perfect
solution for ip-based authentication," because it does have many holes of
which a user must be aware, but it's a very nice thing to have around, and
I'd love to see it controllable via rc.conf.

  One thing that would be nice from my perspective would be the ability to
specify an external file that contains the static ARP entries, e.g.

  static_arp_table="/etc/arpfile"

  (The same kind of functionality currently provided by rc.firewall).

Thanks, Gerhard!

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message