Re: mac address spoofing & dhcp snooping
From: Joe Smith (j333smith@hotmail.com)
Date: Thu Dec 23 2004 - 11:59:21 GMT-3
Tim,
In the documentation for DHCP snooping; a trusted interface is on the same
network and an untrusted interface is not. So the DHCP snooping feature on
the 3550 is checking to see if the client is on the same network, if the
client is not on the same network then those mac addresses will not match.
If the client is on the same network, yes I agree they should be the same,
since that is what the DHCP snooping feature is attempting to verify.
HTH
J3
>From: "ccie2be" <ccie2be@nyc.rr.com>
>To: "Joe Smith" <j333smith@hotmail.com>, <ccielab@groupstudy.com>
>Subject: Re: mac address spoofing & dhcp snooping
>Date: Thu, 23 Dec 2004 09:35:34 -0500
>
>Hey Joe,
>
>Thanks for getting back to me on this.
>
>I should have been more clear but I was referrring to
>
>dhcp packet from the dhcp client to the first hop device
>
>which in this case would be a 3550 with dhcp snooping enabled
>
>and acting as a dhcp relay.
>
>What I want to confirm is this:
>
>As the dhcp packet leaves the dhcp client on it's way
>
>to the dhcp server, the frame's source mac address will ALWAYS
>
>be the same as the client hardware address carried inside the
>
>frame unless one or the other of those mac addresses have been
>
>spoofed, true?
>
>Since the dhcp snooping process on the 3550 will always drop
>
>the frame if those 2 mac addresses are not the same, I just wanted to make
>
>sure that if the 3550 did drop the dhcp frame, I can correctly conclude
>that
>
>something is wrong because there's no legit reason those 2 address would
>be
>different.
>
>The situation I have in mind is when the mac address is set manually as is
>done sometimes
>
>in IBM centric IT shops. ( This scenario is probably far-fetched but just
>wanted to make sure.)
>
>Thanks, Tim
>
>----- Original Message -----
>From: "Joe Smith" <j333smith@hotmail.com>
>To: <ccielab@groupstudy.com>
>Sent: Thursday, December 23, 2004 8:45 AM
>Subject: RE: mac address spoofing & dhcp snooping
>
>
> > When a packet is routed/forwarded the layer 2 header is stripped and
> > replaced. Therefore, if the packet is not from the local network the
>source
> > MAC address will be different then the MAC address in the DHCP packet.
>And
> > yes it is very easy to spoof a local network source MAC address and/or
> > change the mac address in the DHCP packet.
> >
> > J3
> >
> > >From: "ccie2be" <ccie2be@nyc.rr.com>
> > >Reply-To: "ccie2be" <ccie2be@nyc.rr.com>
> > >To: "Group Study" <ccielab@groupstudy.com>
> > >Subject: mac address spoofing & dhcp snooping
> > >Date: Wed, 22 Dec 2004 18:47:54 -0500
> > >
> > >Hi guys,
> > >
> > >Is it possible to spoof the source mac address of an outgoing frame?
> > >
> > >I ask because when dhcp snooping is enabled on a 3550, it checks
> > >
> > >to see if the source mac address of the frame is the same as the mac
> > >address
> > >
> > >inside the dhcp packet.
> > >
> > >If the 2 mac addresses are different, the 3550 will drop the packet.
> > >
> > >Besides spoofing the source mac address, are there any possible reasons
> > >
> > >the source mac address would be different from the mac address
>contained
> > >
> > >inside the packet?
> > >
> > >TIA, Tim
> > >
> > >_______________________________________________________________________
> > >Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html
> >
> > _________________________________________________________________
> > Don�t just search. Find. Check out the new MSN Search!
> > http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
This archive was generated by hypermail 2.1.4
: Mon Jan 03 2005 - 10:31:29 GMT-3