search

zerotier / ZeroTierOne

A Smart Ethernet Switch for Earth
https://zerotier.com
Other
14.24k stars 1.66k forks source link

[question] How to Prevent ARP Poisoning / ARP Spoof in ZT Network ? #840

Closed sbilly closed 6 years ago

sbilly commented 6 years ago

How to Prevent ARP Poisoning / ARP Spoof in ZT Network ?

If we send a forged Reply ARP packet to target Linux host in ZT network, the target host will update its ARP cache. So I can carry out an ARP Poisoning / ARP Spoof attack in ZT network.

ARP Spoof / ARP Poisoning: https://en.wikipedia.org/wiki/ARP_spoofing

glimberg commented 6 years ago

The same ways you prevent ARP Poisoning /spoofing in a non-ZeroTier network. If you send a forged reply ARP packet to a target Linux host on a regular network the same thing will happen. It's one of the problems with the ARP protocol and not a problem that ZeroTier is meant to solve. ZeroTier just handles packets and gets them to where they're supposed to go.

janjaapbos commented 6 years ago

Perhaps the ipauth rule will prevent this for ZeroTier networks?

sbilly commented 6 years ago

@glimberg

ARP Poisoning / ARP Spoofing may be used to hijacking or sniffing traffic. I think it will destroy the basis of many fundamental security feature of ZT network, such as micro-segment.

There are many hardware switches has some feature to prevent ARP Poisoning / ARP Spoofing. So I think it's very import to prevent ARP Poisoning / ARP Spoofing in ZT network, as it works as a smart ethernet switch for earth.

laduke commented 6 years ago

@sbilly The zerotier traffic is encrypted, and both members in a connection enforce any flow rules.

If someone spoofs ARP, all they will get is a bunch of encrypted packets right? Or do you mean an authorized member of the network doing ARP spoofing?

From the manual regarding ipauth

In addition the not chr ipauth condition drops traffic between IP addresses that have not been assigned by ZeroTier to their respective sources or destinations, blocking all IP spoofing.

sbilly commented 6 years ago

Yes. I mean authorized member of the network doing ARP spoofing.

Thank you. @laduke

tjenkinson commented 2 years ago

@laduke is it possible for a ZeroTier member to spoof an ip/mac in an arp response? Or does that rule cause the arp response to be inspected and rejected if the mac/ip inside it doesn’t match the one assigned to the member? I’m still not sure if that rule only applies to tcp packets only?

Thanks

janjaapbos commented 2 years ago

In general yes, unless you have configured the ZeroTier network rule ipauth, or only use 6PLANE.

tjenkinson commented 2 years ago

Thanks. So dropping traffic with not chr ipauth does actually prevent arp spoofing? That’s great. Would be nice to get that in the docs too :)

tjenkinson commented 2 years ago

Do you know where the rules are implemented in the zt source?