Subject: Re: Fixed arp entry for WaveLan?
To: None <firstname.lastname@example.org>
From: Wolfgang Rupprecht <email@example.com>
Date: 02/21/2000 09:47:31
Thilo.Manske@HEH.Uni-Oldenburg.DE (Thilo Manske) writes:
> On Mon, Feb 21, 2000 at 06:56:00AM +0100, Martin Husemann wrote:
> > Is there an easy way to wire a fixed ARP entry for a wave lan (and block
> > all packets from other cards)?
> > I would like to restrict access via my ray0 interface to a single remote
> > card with a known IEEE 802.11 MAC address.
> An idea:
> Add a static arp entry for that other card (arp -s) and ifconfig ray0
If the intention is a bit more security, I'm not sure it will buy one
much. If the wireless intruder uses an IP address that routes to the
internet interface of a computer then the return packets won't need to
be arped on the wireless interface at all. They will merrily be
returned to the intruder via the internet.
I really think someone needs to figure out how to configure the ipsec
stuff for a wireless link. The ipsec stuff is in the international
kernel too isn't it?
I did manage to hack together something that limped along using racoon
and statically defined "spadd" lines like the following in
# capsicum.ray.wsrcc.com -> tepin.ray.wsrcc.com
spdadd 192.168.197.1/32 192.168.197.14/32 any -P out ipsec
spdadd 192.168.197.14/32 192.168.197.1/32 any -P in ipsec
# tepin.ray.wsrcc.com -> capsicum.ray.wsrcc.com
spdadd 192.168.197.14/32 192.168.197.1/32 any -P out ipsec
spdadd 192.168.197.1/32 192.168.197.14/32 any -P in ipsec
This doesn't provide any security because the '/use' indicates it is
optional. When I change to '/require' all communication stops.
When actually using this with racoon, it will run for 10 minutes or so
and then I get 1-2minute hangs that eventually unwedge under a barrage
of pings. I also see racoon spit out diagnostics that to my untrained
eye don't look too encouraging.
Is anyone already using ipsec and possibly isakmp on their wireless
Wolfgang Rupprecht <firstname.lastname@example.org>
DGPS signals via the Internet http://www.wsrcc.com/wolfgang/gps/dgps-ip.html