[Olsr-dev] ARP prevention!
Thu Aug 18 13:17:05 CEST 2011
I think Henning asked the right questions:
- how is the MAC address authenticated?
- what measures are taken to detect MAC spoofing.
these are base questions because a MAC address is trivial to spoof
please explain (at least) these issues so that we do not need to read
all of the arpon docs
I still think this is a layer 1.5 issue and of no concern to olsr
On 08/18/2011 12:59 PM, Andrea Di Pasquale wrote:
> Il giorno 18/ago/2011, alle ore 12:42, Henning Rogge ha scritto:
>> On Thu, 18 Aug 2011 11:50:57 Andrea Di Pasquale wrote:
>>> ArpON does what you're asking with the cooperation of all nodes. :)
>>> Read please these links:
>> From what I read ARPon does work if the attacker cannot spoof its MAC address
>> Spoofing the MAC address is trivial in wireless networks.
>>> In ARP, you solve the problem with authenticating each host and ArpON does
>> No, it does not.
>> ARPon verifies that the MAC address of a communication partner belongs to the
>> verified node, nothing more.
> ArpON is a proactive solution o proactive protocol because it works with cooperative node.
> You can to see ArpON as an evolution of ARP protocol.
> ArpON doesn't authenticate the host as Cisco DAI to do with DHCP server.
> See here:
> These algorithms don't implements an authenticate solution.
> ArpON sets precise policies for ARP. Thus, ARP works in secure mode without cryptography.
>> Imagine the following scenario.
>> We have two verified users Alice (A) and Bob (B), which cannot directly hear
>> each other in the mesh.
>> The attacker Mallory sets up two nodes, one near Alice (MA) and one near Bob
>> (MB) which are connected by a hidden channel (a cable for example).
>> Mallory now begins to replay the traffic he hears on each node on the other
>> side, including MAC addresses.
>> A --- MA --- MB --- B
>> The OLSR instance of Alice will hear OLSR HELLO messages from Bob, which will
>> form a link between the two.
>> When an unicast packet has to travel from Alice to Bob, Alice sends an ARP
>> challenge to Bob.
>> MA will hear the ARP request and replay it on MB, where it will be heard by
>> Bob will reply with a cryptographically signed ARP response, which will be
>> transmitted by MB to MA and then to Alice.
>> Alice is now sure that she knows the MAC-Address of Bob (which is true).
>> But she still communicates with Bob through the cable between MA and MB, which
>> is controlled by Mallory.
> This is a problem of OLSRd, it isn't problem of ARP protocol.
More information about the Olsr-dev