[Any lingering cypherpunk-relevant curiosity should probably be directed to http://cougar.haverford.edu/resnet96/repeaters.html ] On Wed, 14 Aug 1996, Rabid Wombat wrote:
On Tue, 13 Aug 1996, Rich Graves wrote:
On Tue, 13 Aug 1996, Ben Combee wrote:
The "secure hubs" at GATech don't do encryption -- no way could that be done at wire speed. What they do is fill the data portion of the Ethernet packet with nulls. Everyone gets to see the source and destination MAC address and length of every packet, but only the recipient (or a very clever spoofer -- most of the "secure hubs" on the market have a few vulnerabilities) gets the data.
What vulnerabilities? I've heard tell of some(?) that "leak" unscrambled packets if flooded with extreme traffic levels, but have never seen or verified this. Got any specifics?
Change your MAC address to be the same as the hub's. 3Com recently fixed this. Others might not have.
As far as real-world geek apartments go, I heard of one in Manhattan that worked exactly as described. I don't know whether they run "secure hubs." Presumably they would -- I can't think of a major manufacturer's manageable 10BaseT hub that lacks MAC address lockout features.
Most manufacturers offer SNMP-manageable hubs, but these don't offer MAC-layer security. That usually costs a lot extra. The MAC-layer feature is not widely used.
That was true six months ago, but 3Com, Allied, Cabletron, Synoptics, HP, UB, and others now include it as a matter of course. Asante is the notable exception. There are some kooks out there, like the people at RIT, who think that everyone needs switched ports; and a few cheapskates, like management at a major university in the Palo Alto area, who stick with Asante because it's cheapest, and trust students to be nice (or at least nice enough to get caught).
btw - if I were in an apartment environment, I'd want the "secure hubs", and would verify that they're actually in the secure mode. They usually have a "learning" mode, where they simply register the MAC address most recently assigned to each port (sort of like learning bridges - this saves a lot of manual entry). Of course, if left in this mode, they don't do a thing for security.
Sure they do. You'd have a reasonable assurance that wherever you went, you'd be the only one seeing your packets -- assuming the backbone is secure, which you need to assume anyway if you're not doing packet, session, or application-layer encryption (which is the ultimate goal). The roving portable computer is a pretty common case nowadays. The only thing a static table gets you is intruder control. -rich