Re: Spoof ethernet MAC address



On Tue, 11 Dec 2007, in the Usenet newsgroup comp.unix.bsd.openbsd.misc, in
article <59aaf7a6-6b48-46a2-98b7-66b903907e26@xxxxxxxxxxxxxxxxxxxxxxxxxxx>,
jakob wrote:

jpd <read_the_...@xxxxxxxxxxxxxxxxxxxxxx> wrote:

If you go set the mac address you need to know how it works. Some
mac addresses are multicast addresses (there are more than just the
``all-ones'' broadcast address) and obviously should not work. Others
are assigned to vendors so you shouldn't use them. Yet others are
``locally administrated'', akin to the RFC1918 private IP address
ranges.

That's probably a reasonable description.

IIRC only the low order bits of the first byte really matter?

If you are referring to the multicast and locally administered
bits, then yes - but there is a bit more to it than that.

[compton ~]$ zgrep '^[0-F][0-F]-[0-F]' MACaddresses.gz | cut -c1-5 |
sort | uniq -c | column
256 00-00 255 00-10 256 00-20 1 00-BA 1 02-C0
257 00-01 256 00-11 1 00-26 2 00-BB 1 02-CF
256 00-02 256 00-12 256 00-30 256 00-C0 1 02-E6
256 00-03 256 00-13 256 00-40 1 00-CB 1 04-0A
256 00-04 256 00-14 1 00-42 1 00-CF 1 04-E0
256 00-05 256 00-15 1 00-45 256 00-D0 143 08-00
253 00-06 256 00-16 239 00-50 16 00-DD 1 08-14
252 00-07 256 00-17 256 00-60 256 00-E0 1 08-BB
225 00-08 256 00-18 2 00-70 1 00-E6 3 10-00
255 00-09 256 00-19 256 00-80 1 02-07 1 11-00
256 00-0A 256 00-1A 256 00-90 1 02-1C 1 80-00
256 00-0B 256 00-1B 1 00-91 2 02-60 1 A0-6A
256 00-0C 256 00-1C 1 00-9D 3 02-70 5 AA-00
256 00-0D 256 00-1D 256 00-A0 1 02-9D 1 AC-DE
256 00-0E 256 00-1E 4 00-AA 1 02-AA
256 00-0F 53 00-1F 35 00-B0 1 02-BB
[compton ~]$

This 'MACaddresses' file is about a week old. As you can see, there
are 256 OUI blocks in the 00:00:xx range, _257_ in the 00:01:xx
range (00:01:C8 is listed twice, although it's actually the same
entity), and so on. When Xerox was administering the list, they
were not issuing address ranges consecutively, and IEEE is now filling
in the gaps. You may notice that the "multicast" address (01:00:5E)
isn't included in this file, but there is one OUI with the LSB of the
first nibble and first byte set (11:00:AA). What is interesting is
that a number of _assigned_ OUIs have the "locally administered bit
(0x020000) set - such as 02:60:8C which is 3Com and was one of the
OUIs used for the classic 3C509 NIC.

should set unicast, ``globally unique'' addresses (some bogus vendor
IDs obviously, but does anyone actually check those?).

and the answer is a big "that depends". We not only monitor the IP
and MAC addresses and the relationships,

[compton ~]$ whatis arpwatch
arpwatch (8) - keep track of ethernet/ip address pairings
[compton ~]$

we also monitor which switch port the addresses are on. However,
we _are_ paranoid, and not everyone does anything like this much.
(We were actually dumping the ARP cache from servers and routers
and comparing this to a file of "known" addresses back in 1991 as a
security check.)

Old guy
.