[ale] Comcast linux...

Bob Toxen bob at verysecurelinux.com
Wed Jan 7 06:51:01 EST 2004


On Tue, Jan 06, 2004 at 11:18:20PM -0500, Michael H. Warfield wrote:
...

> 	In this case, it would be impossible.  Think about dhcp.  Think
> about how it works.  You can't get to the point of establishing a TCP
> connect because you don't have an address at that point.  You have to
> send out a broadcast and look for the return.  UDP is usable.  TCP can't
> even get a SYN out.

Think outside of the box.  The only reason why DHCP does that stupid
UDP broadcast is that when a system comes up it doesn't know what its
*final* IP address will be and the guys that created it weren't clever.
Just pick an initial IP address for it to come up as (or even one of X
to support really large networks).  It then would start out as IP 0.0.0.0,
ask 0.0.0.1 (the DHCP server by definition) and establish a TCP connection
to get its final IP.  Substitute a different more clever IP pair.

While this too is a kludge, it's a more secure kludge because with a
decent stack, data packets aren't spoofable.  As it is, any dweeb on the
Internet can broadcast false DHCP data to my system trough ComCast which,
I'm sure, isn't smart enough to block DHCP packets from the Internet.
(On the other hand, they're probably would not be smart enough to block
Internet sites from spoofing IPs that should originate from inside
its networks.)

...

> 	Mike
> -- 
>  Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
>   /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Bob



More information about the Ale mailing list