On Fri, Oct 23, 2009 at 12:50:47PM +1300, Perry Lorier wrote: > I've implemented myself a system which firewalled all ARP within the AP and > queried the DHCP server asking for the correct MAC for that lease then sent > the ARP back (as well as firewalling DHCP servers and the like). It's > quite easily doable, and quite reliable. If nodes were to send packets > directly when associated to an AP then the 802.11 protocol would fall > apart, I've never met an implementation that broke this requirement of the > standard.
It had not occurred to me to intercept ARP (or ND) as a transition mechanism, that is pretty clever, but the idea of using DHCPv* leasequery as a way to make IP->MAC resolution both secure and unicast is something I've heard many times. I don't know about my peers, but I would be very interested to see an RFC that describes and examines your results. > You can of course pretend you're the AP and send a packet if you're wanting > to be vicious enough. Yes, of course, that is much simpler. If the attacker can associate with the real wireless network, they can always bridge and provide a rogue AP to insert themselves in the middle. Sometimes in focusing on packet exchanges, we miss the forest for the trees. -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins
pgpNQAGCnPio4.pgp
Description: PGP signature