5b3522ba
From: vjs@calcite.rhyolite.com
In article <8cbcd4e9-497a-4499-b6ee-4153b730ff4a@g39g2000pri.googlegroups.com>,
Bob wrote:
>I think I have a solution for what Im working on. Our client
>software already sends a tcp message to the server. All I have
>to do is compare what the clients IP address is with what I
>know the server's IP is (the first 3 octets), they should always
>match. If someone puts a router in between, they wont, or
>even 2 routers back to back, or whatever combination (I believe).
>Since I dont care about switches and only about routers,
>this should work.
>
>Ill post again once I verify it works.
The portable, more automated way of doing that is for your software to
read the list of network numbers and netmasks from the local computer.
That will work even when you are not using a class-C network.
What is your threat model? In other words, are you trying to defend
against bad guys? If so, can they put packets on your local network
or can they do things to either the computers running your client
software or your server? If so, then checking that the network number
of the other computer's IP address is the same as (one of) the IP
address(es) of this computer is not sufficient to detect routers or
other boxes inserted in the packet path between the two computers.
If you let me send and receive packets to and from your network, then
in many cases I can detour packets between any two of your computers
through my computers. If one or more of my computers are on your
network, then I'm likely to have no trouble at all detouring your
packets. Ways to do that sort of thing include:
- ICMP redirects
- bogus proxy arp or arp spoofing
- advertising IGP host routes
Vernon Schryver vjs@rhyolite.com
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
