On Sat, 29 Jul 2000, David Chen wrote: > > MAC addresses are trivially rewritable or fakeable. That wont give you > > security. Similarly if the terminal servers are over ethernet then decnet > > is also trivially spoofable Since the host runs VMS, the terminal servers probably run LAT. > How do you spoof MAC addresses? I thought they were hard-coded > in the ethernet hardware/firmware. Why would any ethernet card maker > let anyone easily write into ethernet firmware? Doesn't that defeat > the whole idea of ethernet addresses being unique? Not if you set unique addresses on each of your NICs. I don't know *all* of the reasons for this, but DECnet Phase IV required the ability to set the physical address. Phase IV sets an Ethernet interface's physical address to AA-00-04-00-nn-nn where nn-nn is the 16 bits of the network-layer area.node address. The hard-coded address is the "hardware address", and it's copied to the physical address at reset. Token-ring adapters do this too. I get the impression that it's much more common in tokenland. Getting back to the original posting, I don't see why it's necessary to eliminate the terminal server. They're simple, rugged, and good for all kinds of jobs. You'll just wind up building one out of some other kind of gear anyway, if terminals are involved. "If it ain't broke, don't fix it." OTOH I don't see its use as much of a bar to a determined cracker. Telnet, CTERM, nor LAT employ any kind of security that I can recall; your security lies in another layer, such as the use of strong passwords and/or encrypting the datalink layer. -- Mark H. Wood, radical centrist OpenPGP ID 876A8B75 mhwood@ameritech.net 01/01/00 00:00:00 -- Apocralypse Now - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
