On Tue, Oct 26, 2004 at 05:33:32PM +0200, Benjamin Walkenhorst wrote:
> muslim@o2.pl wrote:
> 
> >Anyone know that NetBSD 2 will support changing of hardware adres
> >of Ehernet cards ? I saw one patch to do this but not official i 
> >think...[It wos ~6 months ago..]
> > 
> >
> I don't think it would be a good idea... After all, the ethernet
> address is hard-wired in the card, so this would potentially
> cause lots of security problems... Just imagine someone
> plugging a notebook into your corporate network and faking the
> ethernet address of a trusted client, or worse, a logon server...
> This is just an invitation to arp-spoofing -  sounds like the
> magical feature Black Hat 133nux is still missing... =)
> 
> I wonder if it is possible at all, but I am not a programmer.
> From an administrator's point of view, I strongly hope this is
> not possible and if it is, I hope it won't go into the main tree.

It's possible, and haking a kernel to use a specific MAC address instead
of the one hardwired in the card is trivial (a general way of setting the
MAC address from userland isn't trivial because it requires an interface
change somewhere - I don't remember the details).
Remember that 3com adapters ships with a tool that allows you to change the
ethernet address in the adapter's eeprom.

In other words: relying to ethernet addresses for security is a very, very
bad idea.

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--