[Olsr-dev] ARP prevention!

Ferry Huberts (spam-protected)
Thu Aug 18 13:17:05 CEST 2011 

I think Henning asked the right questions:

- how is the MAC address authenticated?
- what measures are taken to detect MAC spoofing.

these are base questions because a MAC address is trivial to spoof

please explain (at least) these issues so that we do not need to read
all of the arpon docs

I still think this is a layer 1.5 issue and of no concern to olsr

On 08/18/2011 12:59 PM, Andrea Di Pasquale wrote:
> Il giorno 18/ago/2011, alle ore 12:42, Henning Rogge ha scritto:
> 
>> On Thu, 18 Aug 2011 11:50:57 Andrea Di Pasquale wrote:
>>> ArpON does what you're asking with the cooperation of all nodes. :)
>>>
>>> Read please these links:
>>>
>>> http://arpon.sourceforge.net/
>>> http://arpon.sourceforge.net/documentation.html
>>> http://arpon.sourceforge.net/algorithms.html
>> From what I read ARPon does work if the attacker cannot spoof its MAC address 
>> Spoofing the MAC address is trivial in wireless networks.
>>
>>> In ARP, you solve the problem with authenticating each host and ArpON does
>>> it.
>> No, it does not.
>>
>> ARPon verifies that the MAC address of a communication partner belongs to the 
>> verified node, nothing more.
> 
> ArpON is a proactive solution o proactive protocol because it works with cooperative node. 
> You can to see ArpON as an evolution of ARP protocol.
> ArpON doesn't authenticate the host as Cisco DAI to do with DHCP server.
> 
> See here:
> 
> http://arpon.sourceforge.net/img/algo/HARPI.jpg
> 
> These algorithms don't implements an authenticate solution.
> ArpON sets precise policies for ARP. Thus, ARP works in secure mode without cryptography.
> 
>>
>> Imagine the following scenario.
>>
>> We have two verified users Alice (A) and Bob (B), which cannot directly hear 
>> each other in the mesh.
>>
>> The attacker Mallory sets up two nodes, one near Alice (MA) and one near Bob 
>> (MB) which are connected by a hidden channel (a cable for example).
>>
>> Mallory now begins to replay the traffic he hears on each node on the other 
>> side, including MAC addresses.
>>
>> A --- MA --- MB --- B
>>
>> The OLSR instance of Alice will hear OLSR HELLO messages from Bob, which will 
>> form a link between the two.
>>
>> When an unicast packet has to travel from Alice to Bob, Alice sends an ARP 
>> challenge to Bob.
>>
>> MA will hear the ARP request and replay it on MB, where it will be heard by 
>> Bob.
>>
>> Bob will reply with a cryptographically signed ARP response, which will be 
>> transmitted by MB to MA and then to Alice.
>>
>> Alice is now sure that she knows the MAC-Address of Bob (which is true).
>>
>> But she still communicates with Bob through the cable between MA and MB, which 
>> is controlled by Mallory.
> 
> This is a problem of OLSRd, it isn't problem of ARP protocol.
> 
> 
> Andrea


-- 
Ferry Huberts

More information about the Olsr-dev mailing list