On Wed, Feb 11, 2004 at 10:06:26AM -0200, Nelson Guedes Paulo Junior wrote: > > I'm not seeing this as a "problem", it's all working fine, the NIC's are > exactly the same model, but have diferent MAC's. My problem is, if a user CAN > change his MAC adreess, even if ONLY root can change, it's easy to implement > a spoofing right???? > > So, why is permited to change the MAC this way?????? Why? Because the MAC address is loaded by software. The hardware is generic and the driver loads a MAC address commonly found in a very small chunk of NVRAM on the motherboard or IO card into the hardware. Since the driver source is open it would be trivial to hack the driver and do anything. Thus (To Me) it makes sense to expose it as a "feature" and not generate a false sense of security. The register in most network chips permits a change on the fly. This is also EASY to do this on WinNT. The config screen does not label the field as the MAC address but it can be changed. I did it in error yesterday. There ARE good reasons for permitting access to change the MAC address. Some NAT considerations come to mind. I have seen failure in the NVRAM part that contained the factory address. Letting software set an address means that there is less junk in the landfill this week. Redundant system fail-over comes to mind. Hardware upgrades.... Software keys might be involved. Having two NICs on the same net with the same MAC address does not work. Thus the software key license thing degenerates to one license per net which squashes a lot of abuse. If you snoop on a net when some PC hardware boots you can see the BIOS send out a packet with the factory MAC address then the OS boots and if someone has changed the MAC you will see another MAC address on the wire. A system administrator can watch for and decide if this is a problem. See: arpwatch. I do see wireless access being managed by MAC addresses. This might be necessary but it is not sufficient as a security solution. -- T o m M i t c h e l l mitch48-at-sbcglobal-dot-net
