Ip-sentinel - Summary. This project is not part of the GNU Project. This program tries to prevent unauthorized usage of IPs within the local ethernet broadcastdomain by giving an answer to ARP-requests. After receiving such a faked reply, the requesting party stores the told MAC in its ARP-table and will send future packets to this MAC. IPSENTINEL OPEN Entity Identifier Document Identifier DTC Revision 0026-PA803-007 DTC 01 This document is not to be reproduced, modified, adapted, published, neither translated in any material form in whole or in part nor disclosed to any third party without the prior written permission of EDISOFT.
This version adds an ' -action ' option to execute a program when a disallowed ARP packet was detected. Sorting of IP addresses happens now in an endian neutral manner and support for the old, deprecated logging format was physically removed from the source. Beginning with this version, ip-sentinel will be hosted at Savannah. Ip-sentinel starts a daemon which tries to prevent unauthorized usage of IPs within an ethernet broadcastdomain by answering ARP requests. After receiving such a faked reply, the requesting party stores the MAC address in its ARP-table and will send future.
Group- Main
- Support
Export
- Source code
- Bugs
Export
- Tasks
Submit newExport
- Patches
Submit newExport
- News
SubmitManage
This project is not part of the GNU Project.
This program tries to prevent unauthorized usage of IPs within the local ethernet broadcastdomain by giving an answer to ARP-requests. After receiving such a faked reply, the requesting party stores the told MAC in its ARP-table and will send future packets to this MAC. Because this MAC is invalid, the host with the invalid IP can not be reached.
Registration Date: Wed 22 Dec 2004 06:56:01 PM UTC
License: Other license - GNU General Public License V2
Development Status: 5 - Production/Stable
No news items found
[Submit News]
[0 news in archive]
- Browse open items
- Submit a new item
- Browse Sources Repository
- Browse open items
- Submit a new item
- Browse open items
-
- Browse open items
-
Copyright © 2019 Free Software Foundation, Inc.
Verbatim copying and distribution of this entire articleis permitted in any medium, provided this notice is preserved.
The Levitating,Meditating, Flute-playing Gnu logo is a GNU GPL'ed image providedby the Nevrax Design Team.
Source Code
Configuration File
The location of the configfile is relatively to the choosen chroot-directory. Its default is determined at compilation time but it can be overriden by the --ipfile option.
The content of this file has the following syntax:
Specifies an IP which shall be blocked. 'Blocked' means that ARP-replies will be generated telling that the IP address ip has the MAC mac. When the MAC parameter is not given, a random one will be choosen.
Attention: Assigning a MAC in a switched environment will not have the desired effect, because the switch will be confused when receiving ARP-replies for the same IP on different ports (this one of the bad-host and this one of the ip-sentinel host).
Examples are: '192.168.42.23 11:22:33:44:55:66' or '10.0.0.0'.
Similarly to above, but when receiving ARP-requests, the entire sender-address (IP and MAC) will be compared against the ip and srcmac values. This setting affects packets from intruders only; ip-sentinel will not generate replies when ip is requested.
When the srcmac is negated with '!', only addresses from this ip which are not having this mac will be matching.
Examples are: '10.0.0.1@0:1:2:3:4:5' or '10.0.0.2@!a:b:c:d:e:f'.
Every host using the srcmac will be blocked unless there is a matching ip@srcmac specification. This option does not support '!' modifiers.
Specifies that IPs of an entiry network shall be blocked. See above for the meaning of 'blocked'. It is possible to specify a MAC address; else a random one will be generated.
Examples are: '169.0.0.0/8', '192.168.8.15/255.255.65.31' or '192.168.23.42/26 a:b:c:d:e:f'.
The given IP address ip will be ignored. By default, any not specified address will be ignored but when having blocked netmasks it may be usefully to allow certain IPs.
An example is: '!192.168.23.42'
Tells that IPs of the given network shall be ignored.
Examples are: '!192.168.1.0/255.255.255.0' or '!0.0.0.0/0' (the default).
A comment; will be ignored
To be switch-friendly, there are only a few random MACs possible which are having the format 'de:ad:be:ef:00:XX'. Within a short timespan only 32 values are possible for XX.
When having overlapping networks and/or single IPs, this one with the most specified netmask (count of 1's) takes precedence. When netmasks are equal, networks which are using the '@srcmac' or '@!srcmac' syntax are taking precedence over those without source-macs. This '@...' rule does not apply to IPs. The behavior is unspecified when having overlapping networks with the same count of 1's and '@...' specification, or when having duplicate IPs.
Performance
The lookup of single IPs has a complexity of O(log n) and this of netmasks a complexity of O(n).
Special MAC Addresses
Beside the usual hex-octets-delimited-by-colons mac addresses, ip-sentinel understands some special strings both on the commandline and in the configuration file:
expands to the mac-address of the used interface
means a random mac-address which is newly calculated on every usage
expands to 01:80:C2:00:00:00 which is the 'Bridge Group Address'.
expands to 01:80:C2:00:00:01 which is the 'IEEE Std. 802.3x Full Duplex PAUSE operation'. This MAC address will be blocked by a lot of switches and will probably become the default in future versions.
The 802.* addresses are having a special meaning for some switches and packets having them as destination-address will be dropped by the switch instead of flooding all ports. But it depends on the used switch how/if these macs are honored.
Ip Sentinel
Some switches can show an unexpected behavior are even crash if the special 802.* mac-addresses will be used.
Ranges
Except in comments, it is possible to specify ranges everywhere in the configuration file. These ranges are having the format '{from-to}' or '{item1,item2,...,itemN}'. The first format includes any number beginning at 'from' till 'to' (inclusive), while the latter format expands to the listed items only. The expansion happens on a line-level and it is possible to use more than one range per line, so that
192.168.0.{1-3} 0:0:0:0:0:1
192.168.1.{1,3} 0:0:0:0:0:2
192.168.{2,4}.{1-3} 0:0:0:0:0:3
is the same like writing
192.168.0.1 0:0:0:0:0:1
192.168.0.2 0:0:0:0:0:1
192.168.0.3 0:0:0:0:0:1
192.168.1.1 0:0:0:0:0:1
192.168.1.3 0:0:0:0:0:1
192.168.2.1 0:0:0:0:0:3
192.168.2.2 0:0:0:0:0:3
192.168.2.3 0:0:0:0:0:3
192.168.4.1 0:0:0:0:0:3
192.168.4.2 0:0:0:0:0:3
192.168.4.3 0:0:0:0:0:3
Because there can be created very much entries with a single line (e.g. '{0-255}.{0-255}.{0-255}.{0-255}' would cover the entire IPv4 internet), ranges should be used sparely. When possible, large ranges should be expressed with netmasks.
Example
0.0.0.0/0 ## Block anything
!192.168.0.0/24 ## Allow IPs of the form 192.168.0.*
192.168.0.0 ## but block 192.168.0.0
192.168.0.1 a:b:c:d:e:f ## use a special mac for 192.168.0.1
192.168.0.2 802.1d ## and 01:80:C2:00:00:00 for 192.168.0.2
10.0.0.1@a:a:a:a:a:a
10.0.0.2@!1:1:1:1:1:1
*@b:b:b:b:b:b ## block MAC b:b:b:b:b:b regardless of the IP
This setup will not send ARP-replies for the IPs 192.168.0.{3-255} but when a host tries to use e.g. 169.254.145.213, ip-sentinel will tell that this IP has a MAC of 'de:ad:be:ef:00:XX'.
When an intruder is at '10.0.0.1' and uses the mac 'a:a:a:a:a:a:', a faked reply will be generated. Users at the same ip but another mac will be ignored.
Isentinel
In opposite, users with ip '10.0.0.2' and mac '1:1:1:1:1:1' will be ignored but intruders with other macs (e.g. '2:2:2:2:2:2') are getting faked replies. When --poision is used, ip-sentinel will generate a '10.0.0.2 is at 1:1:1:1:1:1' arp-reply to a broad address.