[Olsr-dev] ARP prevention!

Andrea Di Pasquale (spam-protected)
Thu Aug 18 11:50:57 CEST 2011

Il giorno 18/ago/2011, alle ore 07:52, Henning Rogge ha scritto:

> On Thu, 18 Aug 2011 00:29:22 Andrea Di Pasquale wrote:
>> I do not want to do a plugin...
>> This is the logic:
>> Ethernet and wireless are broadcast technology =>
>> => Olsrd uses this technology =>
>> => You can use any technology to L3 point-to-point, point-to-multipoint,
>> multipoint => => Olsrd to L3 multipoint, indirectly uses ARP to L2 for
>> each two host (1 segment), or n host (n / 2 segments) in multipoint
> At least for the user traffic. The protocol traffic doesn't even trigger arps, 
> because its all broadcast (multicast).
>> This implies that olsrd is liable to attack Man In The Middle with ARP
>> spoofing in every segment, every two hosts or all segments between hosts.
>> Let me give two examples:
>> 1. Spoof two nodes, multi-hop communications between them pass by me
>> 2. Spoof all nodes, all multi-hop communications between them pass from me.
>> I do not want to do a plugin.
>> I would only suggest that there is a solution to these problems and that it
>> contributes much to olsrd seen that indirectly uses ARP.
> A problem I see is that securing arp does not protect against man in the 
> middle attacks. Noone prevents an attacker to spoof the arp address of the 
> real node and relay "authenticated arp requests" just to the original node.

ArpON does what you're asking with the cooperation of all nodes. :)

Read please these links:


> Another option is to build a layer-2 transparent tunnel to draw traffic to you. 
> There is not much you can do without hardware modification against this, 
> because the tunnel will just relay traffic from nodes far away, so you see a 
> valid communication link to a valid node.
> The idea to authenticate your layer-2 unicast communication partners is good, 
> but you need a way to tie this authentication to your traffic communication. If 
> you only do this protection for ARPs, you will not be able to verify that 
> traffic is coming from the right node because the incoming Mac/IP packet cannot 
> prove its from the same node you used to authenticate the ARP.
> If you want to secure traffic from spoofing, you need to authenticate each data 
> packet.

In ARP, you solve the problem with authenticating each host and ArpON does it.


More information about the Olsr-dev mailing list