Re: mac address spoofing & dhcp snooping

From: ccie2be (ccie2be@nyc.rr.com)
Date: Thu Dec 23 2004 - 11:35:34 GMT-3

• Next message: Joe Smith: "Re: mac address spoofing & dhcp snooping"
• Previous message: Ned: "RE: EIGRP Topology Table"
• Maybe in reply to: ccie2be: "mac address spoofing & dhcp snooping"
• Next in thread: Joe Smith: "Re: mac address spoofing & dhcp snooping"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey Joe,

Thanks for getting back to me on this.

I should have been more clear but I was referrring to

dhcp packet from the dhcp client to the first hop device

which in this case would be a 3550 with dhcp snooping enabled

and acting as a dhcp relay.

What I want to confirm is this:

As the dhcp packet leaves the dhcp client on it's way

to the dhcp server, the frame's source mac address will ALWAYS

be the same as the client hardware address carried inside the

frame unless one or the other of those mac addresses have been

spoofed, true?

Since the dhcp snooping process on the 3550 will always drop

the frame if those 2 mac addresses are not the same, I just wanted to make

sure that if the 3550 did drop the dhcp frame, I can correctly conclude that

something is wrong because there's no legit reason those 2 address would be
different.

The situation I have in mind is when the mac address is set manually as is
done sometimes

in IBM centric IT shops. ( This scenario is probably far-fetched but just
wanted to make sure.)

Thanks, Tim

----- Original Message -----
From: "Joe Smith" <j333smith@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, December 23, 2004 8:45 AM
Subject: RE: mac address spoofing & dhcp snooping

> When a packet is routed/forwarded the layer 2 header is stripped and
> replaced. Therefore, if the packet is not from the local network the
source
> MAC address will be different then the MAC address in the DHCP packet.
And
> yes it is very easy to spoof a local network source MAC address and/or
> change the mac address in the DHCP packet.
>
> J3
>
> >From: "ccie2be" <ccie2be@nyc.rr.com>
> >Reply-To: "ccie2be" <ccie2be@nyc.rr.com>
> >To: "Group Study" <ccielab@groupstudy.com>
> >Subject: mac address spoofing & dhcp snooping
> >Date: Wed, 22 Dec 2004 18:47:54 -0500
> >
> >Hi guys,
> >
> >Is it possible to spoof the source mac address of an outgoing frame?
> >
> >I ask because when dhcp snooping is enabled on a 3550, it checks
> >
> >to see if the source mac address of the frame is the same as the mac
> >address
> >
> >inside the dhcp packet.
> >
> >If the 2 mac addresses are different, the 3550 will drop the packet.
> >
> >Besides spoofing the source mac address, are there any possible reasons
> >
> >the source mac address would be different from the mac address contained
> >
> >inside the packet?
> >
> >TIA, Tim
> >
> >_______________________________________________________________________
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> Dont just search. Find. Check out the new MSN Search!
> http://search.msn.click-url.com/go/onm00200636ave/direct/01/
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Joe Smith: "Re: mac address spoofing & dhcp snooping"
• Previous message: Ned: "RE: EIGRP Topology Table"
• Maybe in reply to: ccie2be: "mac address spoofing & dhcp snooping"
• Next in thread: Joe Smith: "Re: mac address spoofing & dhcp snooping"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:29 GMT-3