[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference netcad::hub_mgnt

Title:	DEChub/HUBwatch/PROBEwatch CONFERENCE
Notice:	Firmware -2, Doc -3, Power -4, HW kits -5, firm load -6&7
Moderator:	NETCAD::COLELLADT

Created:	Wed Nov 13 1991
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	4455
Total number of notes:	16761

2586.0. "More info needed on Ethernet Repeater security" by STRWRS::KOCH_P (It never hurts to ask...) Fri Jul 28 1995 12:04

    
    I have a customer with multiple DECrepeater 900TM. It is a school
    environment and they're wondering what happens when a student hooks a
    mini-hub to repeater port with eavesdrop protection enabled. Since a
    repeater port can support 2 addresses, what happens? I've read in other
    notes that only one address is active at at time. Does the firmware
    actually allow only an 08 & AA address to be put into the table? Or
    does it just enter both 08 addresses if it sees them?
    
    In my reading, if a port is secured and a system transmits a packet, it
    is the last address which transmitted which is the active address? So,
    if a port transmits address 1 and then address 2 (making address 2
    active), if a return packet is sent to address 1, it won't get
    delivered, right?
    
    In addition, if security is set up to allow only the first received
    address (and this is called what?), then all other addresses which
    transmit simply can't transmit, unless it supports multiple 08
    addresses, then refer to the previous paragraph.
    
    This may be rambling, but I'm trying to understand the implications.
    This is because this customer might be interested in supporting
    multiple MAC addresses per port in a secure mode to allow for the
    connection of mini-hubs. Is this planned for the new repeaters?

T.R	Title	User	Personal Name	Date	Lines
2586.1		NETCAD::HERTZBERG	History: Love it or Leave it!	`Fri Aug 04 1995 12:06`	13
	The DR900TM has no restriction which would prevent multiple MAC addresses per port. However, it only supports two authorized addresses per port, and the two addresses must be shared by the same system. The setup your customer describes is beyond the scope of the 900TM's security capability, both for eavesdropping and intrusion. The 900TM will work just fine with an external mini-hub, but there's no way to run any security in this configuration. There are no plans to upgrade the 900TM, 900GM, or 90TS to support more authorized addresses. The 900TP supports 4 authorized addresses per port, and thus could work with and enforce security for up to four stations per port.
2586.2		STRWRS::KOCH_P	It never hurts to ask...	`Fri Aug 04 1995 12:16`	8
	Thanks for the update. In regard to the 900TP, this means that it can support 128 addresses total, but only 4 per port? In regard to the two authorized addresses, how does it know that the address is coming from a single station? Since a repeater doesn't have a MAC address and I plug into a 4 port repeater which has 2 systems on it, how does it know that there are in fact 2 systems attached?
2586.3		NETCAD::HERTZBERG	History: Love it or Leave it!	`Fri Aug 04 1995 13:51`	30
	>> In regard to the 900TP, this means that it can support 128 >> addresses total, but only 4 per port? Correct. I believe both the thinwire port and docking station AUI port support 4 addresses per port, by the way, so it's a bit over 128 authorized addresses for the box. >> In regard to the two authorized addresses, how does it know that the >> address is coming from a single station? Since a repeater doesn't have >> a MAC address and I plug into a 4 port repeater which has 2 systems on >> it, how does it know that there are in fact 2 systems attached? It won't know, actually. This wouldn't present a problem for intrustion protection. No intrusion event occurs so long as the two source addresses seen on the port are the two authorized addresses. Where this would fall apart is in eavesdrop protection. The hardware only supports one address at a time for eavesdropping, and the address used is the last source address seen on traffic received by the port. Any packet to be transmitted out the port will be jammed unless the destination address of that packet is the same as the last source address received on that port. So if the two stations were creating simultaneous traffic, there'd be a whole lot of eavesdrop events and large numbers of jammed packets. This is why we advertise that security only works when there is one station out there. Hope this explains the situation. Marc
2586.4	keep is simple sir	MIMS::WELLONS_T		`Fri Aug 25 1995 16:08`	6
	I need a little more clairifacation please. Does the statement about supporting 4 stations mean the port will do eavesdrop protection on all four addresses and also enforce intrustion protection on all addresses except the four authorized, on the 900TP. Or another way,simpler, Can four authorized station send and receive packets thur the same port with security enabled?
2586.5		NETCAD::HERTZBERG	History: Love it or Leave it!	`Fri Aug 25 1995 19:22`	19
	To your questions, yes and yes. Clarification, hopefully. Up to four authorized addresses may be defined per port. Eavesdropping protection, when enabled, affects packets in the portswitch which are to be transmitted out the port. The packets will be transmitted in the clear if the destination address matches any of the up-to-four defined authorized addresses for that port. If the destination address matches none of the defined authorized addresses, the packet's data field will be garbled during transmission to prevent unauthorized eavesdropping. If intrusion security is enabled with (up to four) authorized addresses specified, then an intrusion event will occur if packets received from a station on that port have a source address which does not match any of the defined authorized addresses.