[Olsr-dev] ARP prevention!

Henning Rogge (spam-protected)
Thu Aug 18 07:52:38 CEST 2011


On Thu, 18 Aug 2011 00:29:22 Andrea Di Pasquale wrote:
> I do not want to do a plugin...
> This is the logic:
> 
> Ethernet and wireless are broadcast technology =>
> => Olsrd uses this technology =>
> => You can use any technology to L3 point-to-point, point-to-multipoint,
> multipoint => => Olsrd to L3 multipoint, indirectly uses ARP to L2 for
> each two host (1 segment), or n host (n / 2 segments) in multipoint
At least for the user traffic. The protocol traffic doesn't even trigger arps, 
because its all broadcast (multicast).

> This implies that olsrd is liable to attack Man In The Middle with ARP
> spoofing in every segment, every two hosts or all segments between hosts.
> 
> Let me give two examples:
> 
> 1. Spoof two nodes, multi-hop communications between them pass by me
> 2. Spoof all nodes, all multi-hop communications between them pass from me.
> 
> I do not want to do a plugin.
> I would only suggest that there is a solution to these problems and that it
> contributes much to olsrd seen that indirectly uses ARP.
A problem I see is that securing arp does not protect against man in the 
middle attacks. Noone prevents an attacker to spoof the arp address of the 
real node and relay "authenticated arp requests" just to the original node.

Another option is to build a layer-2 transparent tunnel to draw traffic to you. 
There is not much you can do without hardware modification against this, 
because the tunnel will just relay traffic from nodes far away, so you see a 
valid communication link to a valid node.

The idea to authenticate your layer-2 unicast communication partners is good, 
but you need a way to tie this authentication to your traffic communication. If 
you only do this protection for ARPs, you will not be able to verify that 
traffic is coming from the right node because the incoming Mac/IP packet cannot 
prove its from the same node you used to authenticate the ARP.

If you want to secure traffic from spoofing, you need to authenticate each data 
packet.

Henning Rogge
-- 
Diplom-Informatiker Henning Rogge , Fraunhofer-Institut für
Kommunikation, Informationsverarbeitung und Ergonomie FKIE
Kommunikationssysteme (KOM)
Neuenahrer Straße 20, 53343 Wachtberg, Germany
Telefon +49 228 9435-961,   Fax +49 228 9435 685
mailto:(spam-protected) http://www.fkie.fraunhofer.de
GPG: E1C6 0914 490B 3909 D944 F80D 4487 C67C 55EC CFE0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
URL: <http://lists.olsr.org/pipermail/olsr-dev/attachments/20110818/743f1116/attachment.bin>


More information about the Olsr-dev mailing list