Re: mac address spoofing & dhcp snooping

From: ccie2be (ccie2be@nyc.rr.com)
Date: Thu Dec 23 2004 - 12:35:50 GMT-3

• Next message: ccie2be: "Re: Frame Relay Questions"
• Previous message: ccie2be: "Re dhcp & Option 82"
• Maybe in reply to: ccie2be: "mac address spoofing & dhcp snooping"
• Next in thread: Kirk Graham: "Re: mac address spoofing & dhcp snooping"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Kirk,

No, I don't have a sniffer or anything like that.

As far as the client getting an ip address, obviously, if the 3550 drops the
dhcp packet from the client, the client won't get

an address. If the 3550 doesn't drop the dhcp packet, then whether or not
the client gets an address depends on several other factors -

does the dhcp server have additional addresses to hand out, is the 3550
configured to relay the dhcp packets correctly, etc.

The thing to understand about dhcp snooping is that it's a security
feature - it's not there to stop dhcp clients from getting an ip address.

It's there to stop rogue dhcp clients from interfering with the dhcp
process.

HTH, Tim
----- Original Message -----
From: "Kirk Graham" <kgraham@instructors.net>
To: "ccie2be" <ccie2be@nyc.rr.com>
Sent: Thursday, December 23, 2004 9:50 AM
Subject: Re: mac address spoofing & dhcp snooping

> You don't have a sniffer trace or "debug ip packet dump" output do you?
>
> Just curious myself.
>
> Does the client "get" an IP address??? I'm guessing that it doesn't if
DHCP
> snooping is enabled. IF that's disabled, does the client get an address???
>
> Thanks,
> Kirk
>
> At 08:35 AM 12/23/2004, you wrote:
> >Hey Joe,
> >
> >Thanks for getting back to me on this.
> >
> >I should have been more clear but I was referrring to
> >
> >dhcp packet from the dhcp client to the first hop device
> >
> >which in this case would be a 3550 with dhcp snooping enabled
> >
> >and acting as a dhcp relay.
> >
> >What I want to confirm is this:
> >
> >As the dhcp packet leaves the dhcp client on it's way
> >
> >to the dhcp server, the frame's source mac address will ALWAYS
> >
> >be the same as the client hardware address carried inside the
> >
> >frame unless one or the other of those mac addresses have been
> >
> >spoofed, true?
> >
> >Since the dhcp snooping process on the 3550 will always drop
> >
> >the frame if those 2 mac addresses are not the same, I just wanted to
make
> >
> >sure that if the 3550 did drop the dhcp frame, I can correctly conclude
that
> >
> >something is wrong because there's no legit reason those 2 address would
be
> >different.
> >
> >The situation I have in mind is when the mac address is set manually as
is
> >done sometimes
> >
> >in IBM centric IT shops. ( This scenario is probably far-fetched but
just
> >wanted to make sure.)
> >
> >Thanks, Tim
> >
> >----- Original Message -----
> >From: "Joe Smith" <j333smith@hotmail.com>
> >To: <ccielab@groupstudy.com>
> >Sent: Thursday, December 23, 2004 8:45 AM
> >Subject: RE: mac address spoofing & dhcp snooping
> >
> >
> > > When a packet is routed/forwarded the layer 2 header is stripped and
> > > replaced. Therefore, if the packet is not from the local network the
> >source
> > > MAC address will be different then the MAC address in the DHCP packet.
> >And
> > > yes it is very easy to spoof a local network source MAC address and/or
> > > change the mac address in the DHCP packet.
> > >
> > > J3
> > >
> > > >From: "ccie2be" <ccie2be@nyc.rr.com>
> > > >Reply-To: "ccie2be" <ccie2be@nyc.rr.com>
> > > >To: "Group Study" <ccielab@groupstudy.com>
> > > >Subject: mac address spoofing & dhcp snooping
> > > >Date: Wed, 22 Dec 2004 18:47:54 -0500
> > > >
> > > >Hi guys,
> > > >
> > > >Is it possible to spoof the source mac address of an outgoing frame?
> > > >
> > > >I ask because when dhcp snooping is enabled on a 3550, it checks
> > > >
> > > >to see if the source mac address of the frame is the same as the mac
> > > >address
> > > >
> > > >inside the dhcp packet.
> > > >
> > > >If the 2 mac addresses are different, the 3550 will drop the packet.
> > > >
> > > >Besides spoofing the source mac address, are there any possible
reasons
> > > >
> > > >the source mac address would be different from the mac address
contained
> > > >
> > > >inside the packet?
> > > >
> > > >TIA, Tim
> > > >
> > >
>_______________________________________________________________________
> > > >Subscription information may be found at:
> > > >http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _________________________________________________________________
> > > Dont just search. Find. Check out the new MSN Search!
> > > http://search.msn.click-url.com/go/onm00200636ave/direct/01/
> > >
> > >

• Next message: ccie2be: "Re: Frame Relay Questions"
• Previous message: ccie2be: "Re dhcp & Option 82"
• Maybe in reply to: ccie2be: "mac address spoofing & dhcp snooping"
• Next in thread: Kirk Graham: "Re: mac address spoofing & dhcp snooping"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:29 GMT-3