best auth method?

Jim Carter jimc at math.ucla.edu
Fri Dec 20 09:45:28 EST 2002


On Thu, 19 Dec 2002, Jason Radford wrote:
> does anything stop someone from sniffing the network to get a mac address
> to emulate though?  Or is this something I shouldnt be concerned
> with?

It can be done but I think it's not a likely scam.  If 2 stations have the
same MAC address at the same time, the interloper can probably get DHCP to
send a new assignment of an IP address.  Normally it would give the one it
just gave to that MAC address.  Then IP connections would be totally hosed
for both machines.  If machine A receives a packet from machine B, with
its own IP address in it, it's going to erupt in fury; some IP stacks will
commit suicide.  Any broadcast packet would reveal the existence of machine
B, and you have to broadcast to do ARP.

On the other hand, if machine B manually set up an unused IP address,
both machines would get all the traffic for both machines, but they should
just drop packets for the other machine.  I can't think of anything fatal
that would ensue; maybe someone else can?

How sophisticated are your thief-type users?

The ideal would be to emulate a switched hub, with an individual session
key per AP <-> client association, and some way to ask the AP for a map
between session indices and MAC addresses.  Then it would be obvious if two
clients were using the same MAC address.  Too bad I wasn't there when
802.11b was being designed.  Now here's what you could do with
iptables:  for each authenticated session, insert a rule keyed on the IP
address that calls a subchain starting with a rule that checks the MAC
address.  If it matches, accept the packet; if not, log the error and toss
it.

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA  90095-1555
Email: jimc at math.ucla.edu    http://www.math.ucla.edu/~jimc (q.v. for PGP key)




More information about the wireless mailing list