Can IP / MAC spoofing be blocked ?

[Sven Koch]

On Thu, 19 Jul 2001 Gert.Vandelaer@medisearch-int.com wrote:

> As for dial-in accounts, the sniffing becomes much harder ... you'd
> probably have to spoof yourself as the VPN server (endpoint, point of
> authentication),
> which implies DNS spoofing ... and than wait for the VPN client to try and
> initiate a connection and steal the MAC address.

You won't even get a MAC address even with this.
ppp/sync-ppp does not use mac-adresses and so they are not transported
there. A mac address is only valid inside one LAN - if there is a router
between you and the source, you will only see the mac address of the
router's interface. Which means that all traffic from the outside will
normaly travel under the mac address of your border-router.

So to spoof mac addresses you have to be either inside the local lan (i.e.
attached to the same switch-/hub-chain), or take over one machine there.

> I'm currently looking into CIPE ... but haven't tested it yet ...

I'm currently using CIPE to connect my home-dsl (dynip/pppoe) to our
office network and give me static ips - its simple and works - but don't
know how secure it really is.

c'ya
sven

-- 

The Internet treats censorship as a routing problem, and routes around it.
(John Gilmore on http://www.cygnus.com/~gnu/)