[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Wed Jan 7 06:51:01 2004 -->
- <!--x-from-r13: obo ng irelfrpheryvahk.pbz (Pbo Fbkra) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Comcast linux... -->
- <li><em>date</em>: Wed Jan 7 06:51:01 2004</li>
- <li><em>from</em>: bob at verysecurelinux.com (Bob Toxen)</li>
- <li><em>in-reply-to</em>: <<a href="msg00183.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00165.html">[email protected]</a>> <<a href="msg00167.html">[email protected]</a>> <<a href="msg00183.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] Comcast linux...</li>
> In this case, it would be impossible. Think about dhcp. Think
> about how it works. You can't get to the point of establishing a TCP
> connect because you don't have an address at that point. You have to
> send out a broadcast and look for the return. UDP is usable. TCP can't
> even get a SYN out.
Think outside of the box. The only reason why DHCP does that stupid
UDP broadcast is that when a system comes up it doesn't know what its
*final* IP address will be and the guys that created it weren't clever.
Just pick an initial IP address for it to come up as (or even one of X
to support really large networks). It then would start out as IP 0.0.0.0,
ask 0.0.0.1 (the DHCP server by definition) and establish a TCP connection
to get its final IP. Substitute a different more clever IP pair.
While this too is a kludge, it's a more secure kludge because with a
decent stack, data packets aren't spoofable. As it is, any dweeb on the
Internet can broadcast false DHCP data to my system trough ComCast which,
I'm sure, isn't smart enough to block DHCP packets from the Internet.
(On the other hand, they're probably would not be smart enough to block
Internet sites from spoofing IPs that should originate from inside
its networks.)
...
> Mike
> --
> Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
> /\/\|=mhw=|\/\/ | (678) 463-0932 | <a rel="nofollow" href="http://www.wittsend.com/mhw/";>http://www.wittsend.com/mhw/</a>
> NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Bob
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00165" href="msg00165.html">[ale] Comcast linux...</a></strong>
<ul><li><em>From:</em> bigbinc03 at yahoo.com (Berlin Brown)</li></ul></li>
<li><strong><a name="00167" href="msg00167.html">[ale] Comcast linux...</a></strong>
<ul><li><em>From:</em> mike at tyderia.net (Mike Murphy)</li></ul></li>
<li><strong><a name="00183" href="msg00183.html">[ale] Comcast linux...</a></strong>
<ul><li><em>From:</em> mhw at wittsend.com (Michael H. Warfield)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00193.html">[ale] Comcast linux...</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00195.html">[ale] linking 2 lans via PPP ?</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00183.html">[ale] Comcast linux...</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00164.html">[ale] Comcast linux...</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00194"><strong>Date</strong></a></li>
<li><a href="threads.html#00194"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>