On Fri, 1 Nov 1996, Matthew Thompson wrote:
[...]
> Therefore, using IP and MAC addresses for authentication/accounting only
> serves to keep your honest users honest. If someone wants to forge these
> it's trivial.
Well, that of course depends on what hardware you are using. I believe
it IS possible to use IP+MAC addresses for authentication providing
you have appropriate hardware+software to back it up. Specifically,
you need a hub that can be configured for a single MAC address/port,
any other MAC address to that port will partition it. If you have
this, you have a way to ensure that you (at the very least) know which
port (on the HUB) is allowed to use which MAC address and by extension
which IP number. So, users can change their MAC if they like, they end
up with a useless machine (network wise anyway).
Combine this with physical security (ie: locked office doors and the
hub must be physically secure as well) + the assurance that IP traffic
is not broadcasted but is sent directly to the port (ie: no sniffing
capability, can't seem to recall the appropriate term right now) and I
think that you have a near perfect and secure authentication system
that does not require login/password (it *is* still open to social
engineering, but what isn't?).
In case anyone thinks this is pie-in-the-sky, a system like that
described, using DHCP, 10BaseT smart hubs and some home-grown software
is in use at the University of Western Ontario right now in the newly
installed ResNet project.
Of course, the hardware does not come cheap (nor the home-grown
software) but that is a different matter altogether.
cheers, kinch
ps: I was thinking of writing a paper about the system, specifically
the software (AutoHost) for submission to LISA (seems the most
appropriate venue). Does anyone have any opinions as to whether I
should bother?
References:
|
|
