[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [NOISE] Geek Apartments and Etherpunks



[Any lingering cypherpunk-relevant curiosity should probably be directed to
http://cougar.haverford.edu/resnet96/repeaters.html ]

On Wed, 14 Aug 1996, Rabid Wombat wrote:
> On Tue, 13 Aug 1996, Rich Graves wrote:
> > On Tue, 13 Aug 1996, Ben Combee wrote:
> > 
> > The "secure hubs" at GATech don't do encryption -- no way could that be done
> > at wire speed. What they do is fill the data portion of the Ethernet packet
> > with nulls. Everyone gets to see the source and destination MAC address and
> > length of every packet, but only the recipient (or a very clever spoofer --
> > most of the "secure hubs" on the market have a few vulnerabilities) gets
> > the data.
> 
> What vulnerabilities? I've heard tell of some(?) that "leak" unscrambled 
> packets if flooded with extreme traffic levels, but have never seen or 
> verified this. Got any specifics?

Change your MAC address to be the same as the hub's. 3Com recently fixed
this. Others might not have. 

> > As far as real-world geek apartments go, I heard of one in Manhattan that
> > worked exactly as described. I don't know whether they run "secure hubs."
> > Presumably they would -- I can't think of a major manufacturer's manageable
> > 10BaseT hub that lacks MAC address lockout features.
> 
> Most manufacturers offer SNMP-manageable hubs, but these don't offer 
> MAC-layer security. That usually costs a lot extra. The MAC-layer feature 
> is not widely used.

That was true six months ago, but 3Com, Allied, Cabletron, Synoptics, HP,
UB, and others now include it as a matter of course. Asante is the notable
exception. There are some kooks out there, like the people at RIT, who think
that everyone needs switched ports; and a few cheapskates, like management
at a major university in the Palo Alto area, who stick with Asante because
it's cheapest, and trust students to be nice (or at least nice enough to get
caught). 

> btw - if I were in an apartment environment, I'd want the "secure hubs",
> and would verify that they're actually in the secure mode. They usually
> have a "learning" mode, where they simply register the MAC address most
> recently assigned to each port (sort of like learning bridges - this saves
> a lot of manual entry). Of course, if left in this mode, they don't do a
> thing for security.

Sure they do. You'd have a reasonable assurance that wherever you went,
you'd be the only one seeing your packets -- assuming the backbone is
secure, which you need to assume anyway if you're not doing packet, session,
or application-layer encryption (which is the ultimate goal). The roving
portable computer is a pretty common case nowadays. The only thing a static
table gets you is intruder control. 

-rich