Transport Mode IPSEC
Andrew Pantyukhin
infofarmer at FreeBSD.org
Thu Jan 18 10:07:19 UTC 2007
On 1/18/07, Ted Mittelstaedt <tedm at toybox.placo.com> wrote:
>
> ----- Original Message -----
> From: "Andrew Pantyukhin" <infofarmer at freebsd.org>
> To: "Ted Mittelstaedt" <tedm at toybox.placo.com>
> Cc: "Dan Mahoney, System Admin" <danm at prime.gushi.org>;
> <questions at freebsd.org>
> Sent: Thursday, January 18, 2007 12:25 AM
> Subject: Re: Transport Mode IPSEC
>
>
> > On 1/18/07, Ted Mittelstaedt <tedm at toybox.placo.com> wrote:
> > > Dan,
> > >
> > > You do realize, don't you, that since both of these hosts are on a
> switch,
> > > and are using unicast traffic to communicate with each other, that they
> > > cannot be sniffed, don't you?
> > >
> > > You might read up on ethernet switching technology a bit before
> > > answering that.
> >
> > I'm sorry to be the one to make this remark but it's
> > you who needs to read a bit to learn (a) how to sniff
> > traffic off most Ethernet switches from D-Link to
> > Cisco; (b) what other security risks unprotected NFSv3
> > shares pose.
>
> Yeah, sure I've heard that one before.
>
> Why don't you go ahead and elaborate one of your favorite
> theoretical attacks out of one of those books that "proves"
> that an attacker can "sniff most switches" so I can have the
> fun of knocking it down by real-world hardware implementations
> that you can actually buy and use right now.
>
> Don't be a fool. Ethernet switch manufacturers aren't stupid and
> have read the same stuff your citing. They combat them 2 ways.
> The first is used on the expensive switches and it's called filtering
> and allows switch manufacturer salespeople to have something to
> dog and pony. The second is used on the cheapo switches and
> it's called using a wussy CPU on the switch so that the second
> you try attacking the switch with one of your fancy attacks to
> sniff it, the switch just rolls over and dies, passing so few packets
> that every connection through it looses tremendous numbers of
> packets, and hell breaks loose as all users start screaming.
>
> been there, done that. Those work just dandy in the lab and
> in your CCIE class with 3 hosts setup for the purpose of
> demonstrating the attacks. But try it on a production network some
> day and the side-effects will kill you.
Okay, I'm sorry to have sounded a bit rough before
I even parsed your name :-) You don't need to throw
bits of your knowledge at unsuspecting bystanders,
too. ;)
Most attacks I can imagine, I read/heard about or
seen in the worst of my nightmares - I wouldn't be
able to reproduce or describe in detail. My friend
has a motto, which I happen to agree with: there's
a good enough attacker for any kind of security
measures, our job is to make his job as tough as
possible.
More information about the freebsd-questions
mailing list