DHCP!
Tom Mitchell
mitch48 at sbcglobal.net
Fri Feb 13 23:53:18 UTC 2004
On Wed, Feb 11, 2004 at 10:06:26AM -0200, Nelson Guedes Paulo Junior wrote:
>
> I'm not seeing this as a "problem", it's all working fine, the NIC's are
> exactly the same model, but have diferent MAC's. My problem is, if a user CAN
> change his MAC adreess, even if ONLY root can change, it's easy to implement
> a spoofing right????
>
> So, why is permited to change the MAC this way??????
Why?
Because the MAC address is loaded by software.
The hardware is generic and the driver loads a MAC address commonly
found in a very small chunk of NVRAM on the motherboard or IO card
into the hardware. Since the driver source is open it would be
trivial to hack the driver and do anything. Thus (To Me) it makes
sense to expose it as a "feature" and not generate a false sense of
security.
The register in most network chips permits a change on the fly.
This is also EASY to do this on WinNT. The config screen does not label
the field as the MAC address but it can be changed. I did it in error
yesterday.
There ARE good reasons for permitting access to change the MAC
address. Some NAT considerations come to mind.
I have seen failure in the NVRAM part that contained the factory
address. Letting software set an address means that there is less junk
in the landfill this week.
Redundant system fail-over comes to mind.
Hardware upgrades....
Software keys might be involved. Having two NICs on the same net with
the same MAC address does not work. Thus the software key license
thing degenerates to one license per net which squashes a lot of
abuse.
If you snoop on a net when some PC hardware boots you can see the BIOS
send out a packet with the factory MAC address then the OS boots and
if someone has changed the MAC you will see another MAC address on the
wire. A system administrator can watch for and decide if this is a
problem. See: arpwatch.
I do see wireless access being managed by MAC addresses. This might
be necessary but it is not sufficient as a security solution.
--
T o m M i t c h e l l
mitch48-at-sbcglobal-dot-net
More information about the fedora-list
mailing list