From owner-freebsd-net@FreeBSD.ORG  Fri Mar 24 11:21:59 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A12D316A401
	for <freebsd-net@freebsd.org>; Fri, 24 Mar 2006 11:21:59 +0000 (UTC)
	(envelope-from duane@greenmeadow.ca)
Received: from smtpout.eastlink.ca (smtpout.eastlink.ca [24.222.0.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 415E543D48
	for <freebsd-net@freebsd.org>; Fri, 24 Mar 2006 11:21:59 +0000 (GMT)
	(envelope-from duane@greenmeadow.ca)
Received: from ip03.eastlink.ca ([24.222.10.15])
	by mta01.eastlink.ca (Sun Java System Messaging Server 6.2-4.03 (built
	Sep 22 2005)) with ESMTP id <0IWM00MVWQ8HLVG1@mta01.eastlink.ca> for
	freebsd-net@freebsd.org; Fri, 24 Mar 2006 07:21:53 -0400 (AST)
Received: from blk-224-199-230.eastlink.ca (HELO [192.168.0.103])
	([24.224.199.230]) by ip03.eastlink.ca with ESMTP; Fri,
	24 Mar 2006 07:21:49 -0400
Date: Fri, 24 Mar 2006 07:20:55 -0400
From: Duane Whitty <duane@greenmeadow.ca>
In-reply-to: <20060324104859.GA10570@rea.mbslab.kiae.ru>
To: Eygene Ryabinkin <rea-fbsd@rea.mbslab.kiae.ru>
Message-id: <4423D617.4020701@greenmeadow.ca>
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7BIT
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAQAAA+k=
References: <20060324060140.86793.qmail@web51615.mail.yahoo.com>
	<4423BE70.2010807@wm-access.no> <4423CBD5.2040208@ide.resurscentrum.se>
	<20060324104859.GA10570@rea.mbslab.kiae.ru>
User-Agent: Thunderbird 1.5 (X11/20060309)
Cc: freebsd-net@freebsd.org, Jon Otterholm <jon.otterholm@ide.resurscentrum.se>
Subject: Re: How do you keep users from stealing other user's ip??
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2006 11:21:59 -0000

Eygene Ryabinkin wrote:
>> To prevent users from MAC-spoofing - buy a switch with some kind of 
>> "port-security". If you could lock down a port to just one MAC and have a 
>> static ARP on the router it would be pretty hard to spoof the MAC-address. With 
>> another MAC than the one associated with the port you simply will not be able 
>> to talk to anyone.
>>     
>  No-no-no, it is _very_ easy to spoof MAC address. For FreeBSD it is just
> 'ifconfig em0 link 00:11:22:33:44:55'. Almost the same for Linux and
> pretty easy for Windows. Port security would not prevent MAC spoofing --
> you can not rely on the MAC provided by computer since it is easy to
> determine one for the 'trusted' machine and set yours to that.
>   
I agree, no problem to spoof the MAC.  But if the user does so they lock
themselves out because the port on the switch they connect to will only
talk to one MAC address, the one they were originally given.

--Duane