On Tue, 13 Aug 1996, Rich Graves wrote:
On Tue, 13 Aug 1996, Ben Combee wrote:
The "secure hubs" at GATech don't do encryption -- no way could that be done at wire speed. What they do is fill the data portion of the Ethernet packet with nulls. Everyone gets to see the source and destination MAC address and length of every packet, but only the recipient (or a very clever spoofer -- most of the "secure hubs" on the market have a few vulnerabilities) gets the data.
What vulnerabilities? I've heard tell of some(?) that "leak" unscrambled packets if flooded with extreme traffic levels, but have never seen or verified this. Got any specifics?
If you run a packet sniffer, all you get are CRC errors (in order to maintain wire speed, the non-destination ports don't compute one).
As far as real-world geek apartments go, I heard of one in Manhattan that worked exactly as described. I don't know whether they run "secure hubs." Presumably they would -- I can't think of a major manufacturer's manageable 10BaseT hub that lacks MAC address lockout features.
Most manufacturers offer SNMP-manageable hubs, but these don't offer MAC-layer security. That usually costs a lot extra. The MAC-layer feature is not widely used.
OTOH, I've heard tell that several of the residential coax experiments run promiscuously. Everything your neighbor does online, you can see with the right software.
If it is Ethernet (or any baseband technology, AFAIK), and on coax, then of course it is "promiscuous." All devices must see the packet; they're on a bus. The 10T hubs also follow the "all devices must see the packet rule", but by design; a packet is received on the "recieve" pair of one port, and transmitted on the "xmit" pairs of all ports. The secure hubs overwrite the data payload with "junk" first - no encryption involved, nothing to crack, and, as you've pointed out, without recomputing CRC. btw - if I were in an apartment environment, I'd want the "secure hubs", and would verify that they're actually in the secure mode. They usually have a "learning" mode, where they simply register the MAC address most recently assigned to each port (sort of like learning bridges - this saves a lot of manual entry). Of course, if left in this mode, they don't do a thing for security. On the flip side, if sucured, and you change network cards, or bring that laptop home from the office, etc. you won't be able to use it without the intervention of the hub's administrator. And yes, packet sniffers are easy to get a hold of; freeware is abundant. Anyone can easily use one on a segment they've got access to. - r.w.
-rich