From: Brian Dennis (brian@labforge.com)
Date: Sat Jul 05 2003 - 14:52:04 GMT-3
What if you were in a very large network or trying to do IP mobile ARP
over the Internet? Which solution do you think would be better? Call
your ISP and tell them they need to accept the /32 routes that IP mobile
ARP generates from you ;-)
What about security issues? How secure is regular IP mobile ARP? Do you
want anyone to just plug a computer into your network and advertise a
/32 route for whatever address they have configured? Consider this
hypothetical situation. What if a "hacker" plugs their computer in with
the same IP address as the company's HR web server? When that /32 route
from the mobile ARP process for the hacker's computer gets advertised
around where do you think the traffic destined for the HR web server is
going to go (assuming there isn't a /32 route for the HR web server
being advertised already)? The hacker throws up a mock up website on
their computer of the real HR website just long enough to capture a few
users trying to login. After the users enter their usernames and
passwords the hacker's mock up website tells the users the website is
down for the next 15 minutes and to try back later. After a few users
attempt to login the hacker unplugs the computer with the mock up
website and lets the /32 route (mobile ARP) timeout so when the users
try to log back into the HR web server later they will be routed back to
the real HR web server. The users don't even know that they were
temporarily rerouted to the hacker's mock up website that stole their
usernames and passwords.
As a side note Mobile IP offers MD5 authentication and filtering
capabilities whereas IP mobile ARP is very insecure. I've seen Mobile IP
deployed in the real world with law enforcement. I've never seen a large
scale deployment of IP mobile ARP.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jim Phillipo
Sent: Saturday, July 05, 2003 9:36 AM
To: 'ccielab@groupstudy.com'
Subject: ip mobile question
Where does the ip mobile arp command fit into the big picture ? Seems
like
it is a lot easier to configure one router with this command along with
redistribute mobile than going through the hassle of configuring HA and
FA
etc.
The reason I ask is I am doing IPEXPERT lab 35 and the requirement was
to
allow a user from one subnet to be able to connect to another routers
subnet
without changing its IP.
I was surprised when I checked the answer config and all they used was
the
ip mobile ARP command instead of all the other stuff.
Any thoughts appreciated.
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:25 GMT-3