SUMMARY permanent ARP entry / diskless reboot

From: Jacques Beigbeder (Jacques.Beigbeder@ens.fr)
Date: Sat Nov 06 1993 - 02:49:06 CST


First question was:

>I want to secure my network: now students want to plug PC
>with Linux on Ethernet... Of course, they can spy
>Ethernet.
>Another trick is to act as an already existing host:
>on the PC you set up the good IP address, and then you
>gain a lot of access through NFS exports on the server:
>like reading anyone's files. To protect from this, I wanted to
>use explicit ARP tables.
>
>Unfortunately when a diskless station reboots, the status
>of the entry in the arp table changed from 'permanent'
>to normal status.
>1. Is there any way to have really permanent entries?

I talked with the (French) Hot Line. They told me that there's
the bug I described but gave no solution. There told me about
workarounds. Now every 5 minutes, I reload the ARP table.

But this method is not a method:
- every host who can use DECNET (DEC, Sun) has to control
the Ethernet address by software. DECNET addresses are
Ethernet address, and you want to choose your DECNET
address.
- on PC, hardware just sets up a default Ethernet address.
After software can control the Ethernet address.

>2. How do other sites handle PC on Ethernet? Do we have to stop
>using NFS, NIS, and so on?

a) Use secure RPC.
b) Use Kerberos. Then any important informations is crypted.
But what do you do with X-terminals, with Eudora on PC
and Mac? Is there a kerberised Eudora?
c) About the problem of spying Ethernet: use "switched Ethernet".
(Kalpana, Alantec, or Artel) Or "switching UTP hup".
Unfortunately there's no key on Ethernet cable, on plugs, ...:
so you can remove the cable from a running station,
amd acts as the station with a PC...

Thanks to:
        bartz@dadd.ti.com (Carl Bartz)
        Dan Stromberg - OAC-DCS <strombrg@hydra.acs.uci.edu>
        lemke@MITL.Research.Panasonic.COM (Kennedy Lemke)
        jason andrade <jason@pest.ctpm.uq.oz.au>
        led@abend.cc.purdue.edu (Lew Doll)
        blymn@mulga.awadi.com.AU (Brett Lymn)
        rlyle@nl.oracle.com (Rob Lyle UNIX Sys Admin)
        Mike Raffety <miker@il.us.swissbank.com>
        Lawson A S <tony@essex.ac.uk>
        birger@vest.sdata.no (Birger A. Wathne)
        peterg@murphy.com (Peter Gutmann)

Jacques Beigbeder | Internet: beig@ens.fr
Service de Prestations Informatiques |
Ecole Normale Superieure |
45 rue d'Ulm | Tel : (33-1) 44-32-37-96
F75230 Paris Cedex 05 | Fax : (33-1) 44-32-20-80



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:28 CDT