[Olsr-dev] ARP prevention!
Andrea Di Pasquale
(spam-protected)
Thu Aug 18 11:50:57 CEST 2011
Il giorno 18/ago/2011, alle ore 07:52, Henning Rogge ha scritto:
> On Thu, 18 Aug 2011 00:29:22 Andrea Di Pasquale wrote:
>> I do not want to do a plugin...
>> This is the logic:
>>
>> Ethernet and wireless are broadcast technology =>
>> => Olsrd uses this technology =>
>> => You can use any technology to L3 point-to-point, point-to-multipoint,
>> multipoint => => Olsrd to L3 multipoint, indirectly uses ARP to L2 for
>> each two host (1 segment), or n host (n / 2 segments) in multipoint
> At least for the user traffic. The protocol traffic doesn't even trigger arps,
> because its all broadcast (multicast).
>
>> This implies that olsrd is liable to attack Man In The Middle with ARP
>> spoofing in every segment, every two hosts or all segments between hosts.
>>
>> Let me give two examples:
>>
>> 1. Spoof two nodes, multi-hop communications between them pass by me
>> 2. Spoof all nodes, all multi-hop communications between them pass from me.
>>
>> I do not want to do a plugin.
>> I would only suggest that there is a solution to these problems and that it
>> contributes much to olsrd seen that indirectly uses ARP.
> A problem I see is that securing arp does not protect against man in the
> middle attacks. Noone prevents an attacker to spoof the arp address of the
> real node and relay "authenticated arp requests" just to the original node.
ArpON does what you're asking with the cooperation of all nodes. :)
Read please these links:
http://arpon.sourceforge.net/
http://arpon.sourceforge.net/documentation.html
http://arpon.sourceforge.net/algorithms.html
>
> Another option is to build a layer-2 transparent tunnel to draw traffic to you.
> There is not much you can do without hardware modification against this,
> because the tunnel will just relay traffic from nodes far away, so you see a
> valid communication link to a valid node.
>
> The idea to authenticate your layer-2 unicast communication partners is good,
> but you need a way to tie this authentication to your traffic communication. If
> you only do this protection for ARPs, you will not be able to verify that
> traffic is coming from the right node because the incoming Mac/IP packet cannot
> prove its from the same node you used to authenticate the ARP.
>
> If you want to secure traffic from spoofing, you need to authenticate each data
> packet.
In ARP, you solve the problem with authenticating each host and ArpON does it.
Andrea
More information about the Olsr-dev
mailing list