Re: Spoof ethernet MAC address



On Tue, 11 Dec 2007, in the Usenet newsgroup comp.unix.bsd.openbsd.misc, in
article <59aaf7a6-6b48-46a2-98b7-66b903907e26@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
jakob wrote:

jpd <read_the_...@xxxxxxxxxxxxxxxxxxxxxx> wrote:

If you go set the mac address you need to know how it works. Some
mac addresses are multicast addresses (there are more than just the
``all-ones'' broadcast address) and obviously should not work. Others
are assigned to vendors so you shouldn't use them. Yet others are
``locally administrated'', akin to the RFC1918 private IP address
ranges.

That's probably a reasonable description.

IIRC only the low order bits of the first byte really matter?

If you are referring to the multicast and locally administered
bits, then yes - but there is a bit more to it than that.

[compton ~]$ zgrep '^[0-F][0-F]-[0-F]' MACaddresses.gz | cut -c1-5 |
sort | uniq -c | column
256 00-00 255 00-10 256 00-20 1 00-BA 1 02-C0
257 00-01 256 00-11 1 00-26 2 00-BB 1 02-CF
256 00-02 256 00-12 256 00-30 256 00-C0 1 02-E6
256 00-03 256 00-13 256 00-40 1 00-CB 1 04-0A
256 00-04 256 00-14 1 00-42 1 00-CF 1 04-E0
256 00-05 256 00-15 1 00-45 256 00-D0 143 08-00
253 00-06 256 00-16 239 00-50 16 00-DD 1 08-14
252 00-07 256 00-17 256 00-60 256 00-E0 1 08-BB
225 00-08 256 00-18 2 00-70 1 00-E6 3 10-00
255 00-09 256 00-19 256 00-80 1 02-07 1 11-00
256 00-0A 256 00-1A 256 00-90 1 02-1C 1 80-00
256 00-0B 256 00-1B 1 00-91 2 02-60 1 A0-6A
256 00-0C 256 00-1C 1 00-9D 3 02-70 5 AA-00
256 00-0D 256 00-1D 256 00-A0 1 02-9D 1 AC-DE
256 00-0E 256 00-1E 4 00-AA 1 02-AA
256 00-0F 53 00-1F 35 00-B0 1 02-BB
[compton ~]$

This 'MACaddresses' file is about a week old. As you can see, there
are 256 OUI blocks in the 00:00:xx range, _257_ in the 00:01:xx
range (00:01:C8 is listed twice, although it's actually the same
entity), and so on. When Xerox was administering the list, they
were not issuing address ranges consecutively, and IEEE is now filling
in the gaps. You may notice that the "multicast" address (01:00:5E)
isn't included in this file, but there is one OUI with the LSB of the
first nibble and first byte set (11:00:AA). What is interesting is
that a number of _assigned_ OUIs have the "locally administered bit
(0x020000) set - such as 02:60:8C which is 3Com and was one of the
OUIs used for the classic 3C509 NIC.

should set unicast, ``globally unique'' addresses (some bogus vendor
IDs obviously, but does anyone actually check those?).

and the answer is a big "that depends". We not only monitor the IP
and MAC addresses and the relationships,

[compton ~]$ whatis arpwatch
arpwatch (8) - keep track of ethernet/ip address pairings
[compton ~]$

we also monitor which switch port the addresses are on. However,
we _are_ paranoid, and not everyone does anything like this much.
(We were actually dumping the ARP cache from servers and routers
and comparing this to a file of "known" addresses back in 1991 as a
security check.)

Old guy
.



Relevant Pages

  • Re: understand multicasting from the client/host perspective .
    ... multicast group. ... If the multicast mac is ... separate ARP mapping for each host involved. ... And you can't have an ARP ...
    (comp.dcom.sys.cisco)
  • Re: understand multicasting from the client/host perspective .
    ... multicast group, my teacher told me that ... ... The multicast MAC part is where I have difficulty to understand well .. ... who lives there - he just delivers a mail. ... which MAC address available thriugh which port. ...
    (comp.dcom.sys.cisco)
  • Re: Network Security
    ... prg wrote: ... _unless_ it is multicast -- I think I read that in one of the IEEE ... > to outfox the cable modems that expect to see one, and only one MAC ... that the "standard" for serial link transmission is LSB first. ...
    (linux.redhat)
  • Re: Multicast from 10.5/10.6?
    ... What might have changed recently is more software making use of Bonjour ... If the Mac was previously not advertising ... anything it might not have created additional multicast MAC addresses. ... something like iTunes which is advertising itself. ...
    (uk.comp.sys.mac)
  • Re: [opensuse] How to enforce IPs regardless of the clients setup.
    ... My current setup has multiple IP ranges where I use mac filtering to ... The same server will be the gateway to the Internet. ... What I am looking for is a way to enforce specific MAC Addresses to only ... Like I said above I have it locked down in DHCP, ...
    (SuSE)