RE: mac duplication
From: Burton M. Strauss III (BStrauss_at_acm.org)
Date: 12/14/03
- Previous message: Peter Moody: "RE: mac duplication"
- In reply to: Peter Moody: "RE: mac duplication"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: mac duplication"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: mac duplication"
- Reply: dreamwvr_at_dreamwvr.com: "Re: mac duplication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <vuln-dev@securityfocus.com> Date: Sat, 13 Dec 2003 23:23:57 -0600
Um...
The burned in address is (supposed to be) globally unique. As a
{vendor|OEM} you need to get a block from IEEE (See their OUI files) and are
responsible for that block. You can't get another one until you assert
you've issued something like 90%+ of the last one. So according to the very
definition of the MAC address, it is globally unique.
Which isn't to say it doesn't happen that mistakes are made during the
manufacturing processes. This does happen and - as someone else indicated
on this thread - can be a brass plated b*tch to find.
Still, unless two NICs happen to have the same MAC on the same physical
network (switch), even duplicated NICs 'some where in the world' shouldn't
cause problems.
Further, the MAC address doesn't have to be unique to the interface - it's
legal (and Sun does it) for the MAC to be assigned to the HOST and for all
interfaces use that same value, which Sun seems to assume is ok since why
would people have more than one interface on a single network? As you start
rolling the separate networks up into VLANs and intelligent switches, well,
Sun's assumption is just gonna cause you pain...
That's also not to say you can't spoof the address, but even then, if you
override it, you're SUPPOSED to set the LLA bit (i.e. a LLA address is
xxxxxx1x:....). Most folks wouldn't recognize an LLA address if it walked
up and shook hands and certainly the evildoer isn't going to pick a NICE
value to spoof, now is he. And as to easy/hard to spoof, it's trivial on
most OSes.
But all the standards regarding switching assume unique MAC addresses and so
the vendor can pretty much do anything they want for this 'impossible'
condition and still claim adherence to the standards.
-----Burton
> -----Original Message-----
> From: Peter Moody [mailto:peter@ucsc.edu]
> Sent: Saturday, December 13, 2003 10:32 PM
> To: Burton M. Strauss III
> Cc: Dev; vuln-dev@securityfocus.com
> Subject: RE: mac duplication
>
>
>
> > By their very definition, MAC addresses are globally unique.
> So there's no
> > 'standard' behavior.
> > What a switch does when it sees a duplicated MAC is completely
> arbitrary...
>
> This is not true. It is indeed quite possible to change the MAC address
> of a NIC, though it's not all that easy. I've even heard of cards that
> essentially search a local network for an unused MAC address (in a
> particular range, I imagine) and grab one.
>
> So yes, while MAC address are *supposed* to be globally unique, there is
> no guarantee of this.
>
> -Peter
>
> --
> Peter Moody <peter@ucsc.edu>
> Information Security Administrator 831/459.5409
> Communications and Technology Services. UC, Santa Cruz.
> http://security.ucsc.edu/pgp/peter.moody.pub
> :wq
>
- Previous message: Peter Moody: "RE: mac duplication"
- In reply to: Peter Moody: "RE: mac duplication"
- Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: mac duplication"
- Reply: Valdis.Kletnieks_at_vt.edu: "Re: mac duplication"
- Reply: dreamwvr_at_dreamwvr.com: "Re: mac duplication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
