Closed sbilly closed 6 years ago
The same ways you prevent ARP Poisoning /spoofing in a non-ZeroTier network. If you send a forged reply ARP packet to a target Linux host on a regular network the same thing will happen. It's one of the problems with the ARP protocol and not a problem that ZeroTier is meant to solve. ZeroTier just handles packets and gets them to where they're supposed to go.
Perhaps the ipauth rule will prevent this for ZeroTier networks?
@glimberg
ARP Poisoning / ARP Spoofing may be used to hijacking or sniffing traffic. I think it will destroy the basis of many fundamental security feature of ZT network, such as micro-segment.
There are many hardware switches has some feature to prevent ARP Poisoning / ARP Spoofing. So I think it's very import to prevent ARP Poisoning / ARP Spoofing in ZT network, as it works as a smart ethernet switch for earth.
@sbilly The zerotier traffic is encrypted, and both members in a connection enforce any flow rules.
If someone spoofs ARP, all they will get is a bunch of encrypted packets right? Or do you mean an authorized member of the network doing ARP spoofing?
From the manual regarding ipauth
In addition the
not chr ipauth
condition drops traffic between IP addresses that have not been assigned by ZeroTier to their respective sources or destinations, blocking all IP spoofing.
Yes. I mean authorized member of the network doing ARP spoofing.
Thank you. @laduke
@laduke is it possible for a ZeroTier member to spoof an ip/mac in an arp response? Or does that rule cause the arp response to be inspected and rejected if the mac/ip inside it doesn’t match the one assigned to the member? I’m still not sure if that rule only applies to tcp packets only?
Thanks
In general yes, unless you have configured the ZeroTier network rule ipauth, or only use 6PLANE.
Thanks. So dropping traffic with not chr ipauth
does actually prevent arp spoofing? That’s great. Would be nice to get that in the docs too :)
Do you know where the rules are implemented in the zt source?
How to Prevent ARP Poisoning / ARP Spoof in ZT Network ?
If we send a forged Reply ARP packet to target Linux host in ZT network, the target host will update its ARP cache. So I can carry out an ARP Poisoning / ARP Spoof attack in ZT network.
ARP Spoof / ARP Poisoning: https://en.wikipedia.org/wiki/ARP_spoofing