Transport Mode IPSEC
Ted Mittelstaedt
tedm at toybox.placo.com
Thu Jan 18 09:40:18 UTC 2007
----- Original Message -----
From: "Andrew Pantyukhin" <infofarmer at freebsd.org>
To: "Ted Mittelstaedt" <tedm at toybox.placo.com>
Cc: "Dan Mahoney, System Admin" <danm at prime.gushi.org>;
<questions at freebsd.org>
Sent: Thursday, January 18, 2007 12:25 AM
Subject: Re: Transport Mode IPSEC
> On 1/18/07, Ted Mittelstaedt <tedm at toybox.placo.com> wrote:
> > Dan,
> >
> > You do realize, don't you, that since both of these hosts are on a
switch,
> > and are using unicast traffic to communicate with each other, that they
> > cannot be sniffed, don't you?
> >
> > You might read up on ethernet switching technology a bit before
> > answering that.
>
> I'm sorry to be the one to make this remark but it's
> you who needs to read a bit to learn (a) how to sniff
> traffic off most Ethernet switches from D-Link to
> Cisco; (b) what other security risks unprotected NFSv3
> shares pose.
Yeah, sure I've heard that one before.
Why don't you go ahead and elaborate one of your favorite
theoretical attacks out of one of those books that "proves"
that an attacker can "sniff most switches" so I can have the
fun of knocking it down by real-world hardware implementations
that you can actually buy and use right now.
Don't be a fool. Ethernet switch manufacturers aren't stupid and
have read the same stuff your citing. They combat them 2 ways.
The first is used on the expensive switches and it's called filtering
and allows switch manufacturer salespeople to have something to
dog and pony. The second is used on the cheapo switches and
it's called using a wussy CPU on the switch so that the second
you try attacking the switch with one of your fancy attacks to
sniff it, the switch just rolls over and dies, passing so few packets
that every connection through it looses tremendous numbers of
packets, and hell breaks loose as all users start screaming.
been there, done that. Those work just dandy in the lab and
in your CCIE class with 3 hosts setup for the purpose of
demonstrating the attacks. But try it on a production network some
day and the side-effects will kill you.
Ted
More information about the freebsd-questions
mailing list