Corporate Reactions to Linux (fwd)

tschweikle at tschweikle at
Wed Oct 13 08:28:17 GMT 1999

ard <ard at> wrote:

> On Wed, Oct 13, 1999 at 06:00:23AM +1000, tschweikle at wrote:
>> A better way I am aware of is monitoring mac addresses inside your
>> LAN --- thus giving you the whole control about which computers
>> are allowed to access your network, putting the burden on you to
>> adapt every network hardware change and reconfigure your routers
>> and switches (cause this only makes sense if you close any ports
>> using unknown mac addresses).
>> But even this isn't waterproof: what about illegal computers using
>> old and known network cards?
> Well, it really does not matter what kind of cards you use. In my
> experience of ethernet driver programming, the toughest quest, next
> to getting documentation, is to obtain the MAC-address. MAC is purely
> software.
> As a matter of fact, plain redhat-linux has the MAC-address as one of
> its interface configuration parameters, and I am relying on that to
> get the proper IP address from the DHCP server of my cable-internet
> provider. And for my ethernet driver: I did not succeed in obtaining
> it from the EISA bios. So I documented to use
> ifconfig <eth> hw ether xx:xx:xx:xx:xx:xx
> before uping...
>> > you can then either email / page the administrator or run
>> > denial-of-service attacks against the offending server to take it down (a
>> > drastic and not highly recommended course of action).
>> If you do have token ring there would be a simple DoS: send it
>> a "close adapter" command. Some ethernet adapters do have this
>> command to.
> When using windows NT, a small token-ring packet containing too
> many entries (I thought the RIP packet containing more than 7 entries),
> will crash an entire segment of NT based systems. And no tracing of
> who did it...
> I guess there is no security on ethernet based networks on which there
> is no form of encryption used. The only save way is probably to use
> encrypted communications between each computer, of course with strong
> public/private key authentication.

The only way doing it reliable. Communication does not need to be
encrypted, but every network packed needs to have an additional
key value, verifying it came from whom told having send it.

Kerberos is one solution to the problem: "you can't trust your
network nor your users and computers".

But this means changes to existing protocols. The best solution
would be to change the ip layer --- but this would make it
incompatible with existing systems. The other solution (kerberos
takes it) change all applications to use authentication tickets
send with the data. But this leaves the burden to application
programmers. Are you sure _all_ applications were properly
enhanced (kerberized) ...!?

The upcoming IPv6 does have such technics implemented to ensure
network and data integrity (with or without encryption).


More information about the samba-ntdom mailing list