packet labeling & routing decision based on these labels

Monday 16 July 2007 15:17:53 Philipp Snizek wrote:
Hi
>
I have this scenario:
>
Subnet A
Hosts n Gateway Fileservers NFS
>
Hosts n: mark packets
Gateway: uses mark to make routing desicion
>
Hosts n get their IP address via DHCP (IP address lease decision based on
the client's MAC address).
It is extremely simple to attach a notebook to Subnet A, spoof a legal
client's IP and MAC addresses get UID and username and do the worst.
>
the weekend I tried packet marking using iptables mark and connmark
targets to label pakets at the Hosts n (iptables output -j MARK rule) and
to have the Gateway based on these labels decide what to do with the
pakets (ip rule with fwmark). I stopped trying when I found out that the
labels are not given permanently when a marked packet leaves the interface
of a host n.
>
As I very much like the idea of labeling packets I wonder whether such a
concept is possible with other linux tools.
>
how would you do it?
>
Thanks for your attention

Hi,

How are you using the marks? If a client can spoof the IP and MAC address, it
could do so with the marks too.

Securing your network from MAC or IP address spoofing may be done by
configuring the switches (if they are manageble, of course) - for example by
staticly assigning allowed MAC addresses on specific switch ports. If a
malicious client can connect to your network and spoof a valid identity it is
already too late to secure protocols like NFS, which are not designed to be
used on an insecure network.

Best regards.

--
Blade hails you

how I wish
For soothing rain
how I wish to dream again


PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)


9E+YgiI+dC4rIZQo60Hl/lQ=
=jdgU
PGP SIGNATURE

Monday 16 July 2007 16:10:04 Philipp Snizek wrote:
Monday 16 July 2007 15:17:53 Philipp Snizek wrote:
>Hi
>>
>I have this scenario:
>>
>Subnet A
>Hosts n Gateway Fileservers NFS
>>
>Hosts n: mark packets
>Gateway: uses mark to make routing desicion
>>
>Hosts n get their IP address via DHCP (IP address lease decision based
>on
>the client's MAC address).
>It is extremely simple to attach a notebook to Subnet A, spoof a legal
>client's IP and MAC addresses get UID and username and do the worst.
>>
>the weekend I tried packet marking using iptables mark and connmark
>targets to label pakets at the Hosts n (iptables output -j MARK rule)
>and
>to have the Gateway based on these labels decide what to do with the
>pakets (ip rule with fwmark). I stopped trying when I found out that the
>labels are not given permanently when a marked packet leaves the
>interface
>of a host n.
>>
>As I very much like the idea of labeling packets I wonder whether such a
>concept is possible with other linux tools.
>>
>how would you do it?
>>
>Thanks for your attention
>
Hi,
>
How are you using the marks? If a client can spoof the IP and MAC
address, it
could do so with the marks too.
>
Yes, it could, but then the attacker somehow has to learn what the mark
looks like. If the attacker doesn't know the gateway will notice the
spoofing with the first incoming packet. And thus, alerting the spoofing
will not be a problem anymore.

Spoofing the mark is as easy as spoofing the IP and MAC.

The only way I can think of would be a man-in-the-middle attack (e.g. with
a notebook that has 2 interfaces set up as a linux bridge).
I also thought about using SECMARK with SELinux but that is too much of a
pain and therefore too expensive to build. Also, I do not know whether
SECMARK painted packets are painted permanently.

You don't need to have two network interfaces to do a man-in-the-middle
attack. And that is the beauty of it - it is so simple:) You do that with IP
and MAC spoofing and is as simple as running a little tool, publicly
available.


--
Blade hails you

I know my dreams are made of you
you and only for you


PGP SIGNATURE
Version: GnuPG v1.4.2 (GNU/Linux)


V+5KwK8uAwUVtSQz+1HSa3c=
=ZSCN
PGP SIGNATURE