[Olsr-dev] ARP prevention!

Markus Kittenberger (spam-protected)
Wed Aug 17 17:20:32 CEST 2011


caution: olsrd is no layer 2 mesh!

(so theres are no multihop implications regarding to arp)
every olsrd node only knows the macadresses of its direct neighbours

therefore u just need arpOn on node a b and c
to detect man in the middle d

Markus
On Wed, Aug 17, 2011 at 3:21 PM, Andrea Di Pasquale <(spam-protected)>wrote:

> Hi,
>
> Because in a local network with IPv4, each host can communicate with other
> hosts inside the network thanks to ARP. In a multihop network as olsrd,
> olsrd does its job network layer, but each route for every host works in
> conjunction with ARP in the Datalink.
> Example I want to reach node B from A:
>
> HostA <=> hostC <=> HostB
>
> Olsrd will do its work, but will be able to decide the route ACB thanks to
> the existence of nodes C and B. The existence of each network node is
> determined by ARP.
> Consider an additional node, the node D that makes Man In The Middle using
> ARP Spoofing masquerading as a node B to C and C to B:
>
> HostA <=> hostC <=> hostD <=> HostB
>
> OLSRd will always choose the same route. HostD will be able to intercept
> all traffic from/to hostA <=> HostB and OLSRd will not be able to avoid
> similar situations.
>
> That's why I think ArpON is useful and helps to avoid situations like
> these.
>
> The benefits are lots if we speak of stack of decentralized and cooperative
> network:
>
> Applications -> All services
> Transport -> TCP, UDP & co
> Network -> IPv4 with OLSRd
> Datalink -> ARP with ArpON
>
> This stack is able to secure all services running at the Application level
> because the ArpON authenticates each host in the network, OLSRd handles each
> route for host in the network secure from attacks, TCP and UDP make their
> work and each services at the top is secure from any attacks.
>
> Thanks,
>
>
> Andrea
>
> Il giorno 17/ago/2011, alle ore 10:08, ZioPRoTo (Saverio Proto) ha scritto:
>
> >> I want to do a port of ArpON (www: http://arpon.sourceforge.net) for
> OLSRd project for securing MAC layer (IPv4 environment) against
> >> Man In The Middle attacks through ARP Spoofing attack and his derived
> attacks.
> >
> > Hello,
> >
> > your project looks very interesting. However I don't understand why we
> > should not just run olsrd and the current implementation of ArpON
> > separately.
> >
> > olsrd demon never manages data traffic and sent packets are always
> > broadcast/multicast, so ARP protocol is not involved
> >
> > what is the benefit of running ArpON as a olsrd plugin ? Why it has to
> > interact with the routing protocol ?
> >
> > thanks
> >
> > Saverio
>
>
> --
> Olsr-dev mailing list
> (spam-protected)
> https://lists.olsr.org/mailman/listinfo/olsr-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.olsr.org/pipermail/olsr-dev/attachments/20110817/549fd827/attachment.html>


More information about the Olsr-dev mailing list