3. DHCP Snooping mac mismatch

DHCP Snooping mac mismatch

The article has a link at the bottom to this article:

https://www.net.princeton.edu/mac/network-config-x/caveats.html#ip-weakend

Which has this observation:

If the Mac has more than one network port (e.g. Ethernet and Wi-Fi) designated Active and simultaneously attached to two networks, and these networks are different IP subnets, some traffic sent by the Mac will be discarded by the campus network. Apple OS X's IP implementation uses the "Weak End System Model" with respect to transmitting. The Mac transmits some data via one network port, but marks the data as coming from the IP address of the other network port. OIT's IP routers perform "IP ingress spoof filtering" to discard packets containing IP sources inappropriate for the network on which they were received, as such traffic can represent a security problem.

This is not a bug in Apple OS X's IP implementation; the "Weak End System Model" is allowed by IP specifications. Neither is there anything wrong with the IP ingress spoof filtering performed on OIT's IP routers. However, when used in combination, they result in packet loss. IP ingress spoof filtering is an important measure to combat certain kinds of network-based attacks; it will not be disabled.

One fix would be for Apple OS X to adopt the "Strong End System Model" with respect to transmitting. This ensures that data transmitted by the Mac from each network port is marked with the IP address of that network port, not the Mac's other network port. Such an approach is especially appropriate for multihomed hosts. However, we are not aware of any plans to enhance Apple OS X to do this.

This issue is not unique to Apple OS X; most current operating systems employ the Weak End System Model, as their IP implementations were written before IP ingress spoof filtering was a common practice. The issue is highlighted by Apple OS X because by default, it tries to make all ports active, and modern Macs often have both an Ethernet and a Wireless port.

To work around the problem, we recommend you not allow the Mac to find itself in a situation where more than one network port is designated Active and simultaneously attached to a live network. You can do so by following OIT's instructions for creating multiple locations, designated all but one network port as Inactive in each location. (I.e. do not rely on the Automatic location shipped with Apple OS X if the Mac has multiple network ports.)

If the Mac has more than one network port (e.g. Ethernet and Wi-Fi) designated Active and simultaneously attached to the same IP network (i.e. subnet), the Mac's operating system may may operate in a way that's not acceptable on the campus network. This is a variation of the issue described above (the "Weak End System Model" with respect to transmitting), but is a larger problem when both interfaces are attached to the same IP subnet. Like most operating systems, Apple OS X may not operate well when it has multiple interfaces attached to the same IP subnet simultaneously. Most operating systems are not designed to handle this configuration.

You will not encounter this situation if your Mac has just an Ethernet and a Wi-Fi interface, and the Wi-Fi interface is configured to use only OIT Wireless Service, as OIT Wireless Service provides a connection to an IP subnet that is not available via any other mechanism (there are no customer Ethernet ports attached to the same subnet as OIT Wireless Service). But you will encounter this situation if you configure your Wi-Fi interface to use other (private) Wireless Access Points, and any of them are configured to operate as a bridge and are attached to the same IP network that your Mac's Ethernet interface is currently wired to.

To work around the problem, you must not allow the Mac to find itself in this situation. You can do so by following OIT's instructions for creating multiple locations, designating all but one network port as Inactive in each location. (I.e. do not rely on the Automatic location shipped with Apple OS X if the Mac has multiple network ports.)

.
.

In my environment we use: 

no ip dhcp snooping verify mac-address

but just because our security found that acceptible doesnt mean yours will.

/r/networking Thread Parent
Previous
Next

Recently removed from /r/networking

How to keep 2 identical IP addresses on the same network and make it work (temporary) VLAN design/safety sanity check DMVPN Dual ISP Redundancy Vulnerability Scans & Outdated/Weak Ciphers for SSL/early TLS Versions - Is Disabling The Web Interface and Opting for SSH-only management the solution? I'm a software engineer at a major networking vendor. Is there an alternate to RDP (Remote Desktop) when simply needing to connect to a localhost via VPN Cisco 891 Networking | network-policy traffic shaping Troubleshooting tools for remote VPN Users I'm not sure if it's lack of terminology that's holding me back from finding any specifics but I'm unsure why I cannot ping a router through L3 Etherchannel. Good optical fiber and sFP transceiver type for DIY termination? Automation has spooked me and i feel sticking to technical line will make us less vulnerable. What's your opinion? Are there any side hustles being a network engineer? Do you constantly have to prove the networks innocents? Firepower rant How do you survive in networking if you are a colour blind?

More Random Comments

Do you think the Leafs will make it past the trade deadline with their 2023 first round pick? [Maiocco] Jimmy Garoppolo is being taken by cart to the #49ers locker room. I (19f) never know how to feel about my (27m) boyfriend The Observer view on radical change being needed to overcome elitism in education | Observer editorial What would the current arc be called, and how would it be described? This Is Why The Media Wants to Keep You Outraged flaunting her 20 mental illnesses all self dx lol Should I get a Toy, Miniature, or Standard? Where do you lean related to the Israel-Palestine conflict? Feminists are protesting against the wave of anti-feminism that's swept South Korea Knew Florida man discovered Chiefs Postgame Conference Invest my life savings in Ethereum? when was a time that you almost died? Do you think plague is a cheap killer?