[unisog] LAN port security: Slightly different twist

John Kristoff jtk at aharp.is-net.depaul.edu
Mon Sep 2 16:04:47 GMT 2002


On Sun, Sep 01, 2002 at 11:04:54AM -0400, Marc Jimenez wrote:
> 	My proposed solution is to turn down the TTLs of all packets
> leaving our routers and entering the switching domain of the ResNet to 1.
> The idea being that end-clients would still gracefully receive these
> packets, but that NAT boxes or anything doing routing to another segment
> would drop them on arrival. This combined with the 1 MAC per port security
> would hopefully stop students from extending the ResNet into places we
> didn't want it. I haven't thought of anything this will break yet, but
> it's a strange enough thing to do that I'd love some feedback.

Personally I think you're going through a lot of technical trickery
to ensure a single host per port.  You probably won't be able to totally
prevent someone from getting around this.  There may be transparent
NAT boxes that do not alter the TTL (or increase them again) that they
could use as the box that looks like an end host to you.  Interesting
idea though.

John



More information about the unisog mailing list